TOTP (One-Time Password) Generator
Generate the same 6-digit one-time password (RFC 6238) as Google Authenticator and similar apps from a Base32 TOTP secret, entirely in your browser. Your secret is never transmitted.
About the TOTP Algorithm
TOTP (Time-based One-Time Password) is a time-based one-time password algorithm defined in RFC 6238. It converts a shared secret and the current time into a counter that advances at fixed intervals, then derives a numeric code using the same dynamic truncation algorithm as HOTP (RFC 4226).
| HMAC algorithm | Choose from SHA-1 (default), SHA-256, or SHA-512 |
|---|---|
| Code length | 6 digits (the same standard length used by Google Authenticator and most major 2FA apps) |
| Refresh interval | A new code is generated every 30 seconds |
Tips
- The secret is the "setup key" string shown below the QR code when you first register two-factor authentication (2FA). If you already registered it in a phone authenticator app, entering the same secret here lets you cross-check the code.
- Some services use a hash algorithm other than SHA-1 (SHA-256 or SHA-512). If the generated code doesn't match your actual app, try switching the algorithm.
- The code refreshes automatically every 30 seconds, with a progress bar showing the time remaining. Be careful copying a code right before it expires, since it may become invalid before it reaches the service you're authenticating with.
- Closing this browser tab permanently discards the secret; nothing is ever saved anywhere. If you want to keep it as a backup, store the secret itself somewhere secure, such as a password manager.
FAQ
Side Note — Why Two-Factor Codes Settled on 6 Digits
OATH (the Initiative for Open Authentication), which drafted the TOTP specification (RFC 6238), simply reused HOTP's (RFC 4226) dynamic truncation algorithm and left the code length up to each implementation. Six digits became the de facto industry standard largely because Google Authenticator adopted that length in its original 2010 implementation, and many other services and libraries followed suit.
Six digits also happens to be a sweet spot. With one million possible combinations (10^6) and a short 30-second validity window, brute-forcing a code becomes practically impossible, while anything longer would be impractical for a human to memorize and type. It's no coincidence that most SMS verification codes are also 6 digits — the industry converged on this length for any "short-lived, disposable numeric code."
TOTP's predecessor, HOTP (RFC 4226, 2005), used a counter that had to be incremented by one every time a code was used. In practice this caused frequent sync problems — users forgetting to press a button, or the counter on the device and server drifting apart. TOTP, standardized in 2011, replaced the counter with the current time, a reference value everyone can agree on, dramatically simplifying operations.