TOTP Authenticator

TOTP Authenticator

Generate 2FA codes (Google Authenticator compatible). Add secrets manually or scan QR codes. Free online TOTP generator for testing two-factor authentication

A TOTP code (the 6-digit number Google Authenticator and 1Password show) is a fixed function of three things: the shared secret, the current time, and the algorithm parameters (SHA1, 30-second step, 6 digits). This tool computes TOTP codes from any otpauth:// URI or raw base32 secret, in your browser, so you can: test that your backend's TOTP verification is correct, recover a code when your phone is dead, or migrate secrets between authenticator apps. Codes are computed locally — the secret never leaves your tab.

How TOTP actually works

TOTP is HOTP with the counter set to floor(unix_time / 30). HOTP (RFC 4226) is HMAC-SHA1(secret, counter), then truncate the 20-byte HMAC to 4 bytes via "dynamic truncation" (use the low 4 bits of the last byte as an offset, take 4 bytes from there), interpret as a 31-bit integer, modulo 10^digits. TOTP (RFC 6238) is the same algorithm with time-based counter.

The default parameters that 99% of services use: SHA1, 30-second step, 6 digits. Some (Steam, Battle.net) use 5 digits; some use SHA256 or SHA512; the otpauth:// URI specifies all of them. Mismatched algorithm parameters are the most common "the code is rejected" cause — both sides must agree.

Working example

Input

Secret (base32): JBSWY3DPEHPK3PXP
Algorithm: SHA1
Digits: 6
Period: 30 seconds

Output

Current Unix time: 1747353600
Counter: 1747353600 / 30 = 58245120

HMAC-SHA1(secret, counter) = 1f8634d2c4d2f33e6e23e9ba6e23e9ba6e23e9ba
Last byte = 0xba → offset = 0xa = 10
4 bytes from offset 10: 6e23e9ba
Masked to 31 bits: 0x6e23e9ba = 1847510458
1847510458 mod 1,000,000 = 510458

Code: 510458
Valid until: 1747353630 (30 seconds from start of period)

The example secret JBSWY3DPEHPK3PXP is "Hello!" in base32 and is the standard "test vector" secret shipped with most TOTP libraries. Do NOT use it for real accounts.

Clock skew and why your code is rejected

  • Server time wrong — the server's clock is more than 30 seconds off from real time. Verifiers usually accept the previous and next 30-second window (±90s tolerance total). Beyond that, every code is wrong.
  • Phone time wrong — same problem, on your side. Phones sync via NTP automatically; airplane mode + battery pull can drift you a few seconds. Most authenticator apps have a "fix time" feature.
  • Period mismatch — you scanned an otpauth:// URI with period=60, your app assumes 30. Codes look valid but only match every other window. Re-scan or import with explicit period.
  • SHA256 / SHA512 mismatch — same story. The otpauth URI carries algorithm=SHA256; if you typed the secret manually into Google Authenticator (which assumes SHA1), the codes never match.
  • Wrong digit count — Steam uses 5-digit codes with a custom alphabet (not just 0-9). Battle.net uses 8 digits. Generic authenticators show the wrong format.

When to reach for this tool

  • You are implementing TOTP on the server side and need ground-truth codes to test your verification against — feed your test vectors, compare codes.
  • You scanned a QR code on screen B but the camera app is on phone A — extract the secret from the otpauth:// URI manually and generate the code here.
  • You are migrating from one authenticator app to another and want to verify the imported secrets produce the same codes as the old app before deleting the old one.
  • Your phone is dead, you have the otpauth:// URI saved (because you exported your secrets when you set them up — you did, right?), and you need to log in now.

What this tool will not do

  • It will not store your secret. Refresh the tab and it is gone. For persistent codes you want a dedicated authenticator app — 2FAS, Aegis, Raivo OTP — that backs up its secret store securely.
  • It will not bypass account lockouts. If the verifier has rate-limited you after wrong codes, valid codes from here will not help until the lockout expires.
  • It will not handle vendor-specific OTP. Steam Guard uses a different alphabet, Microsoft Authenticator has its own protocol on top of TOTP for push, RSA SecurID uses a different algorithm entirely (and a hardware seed).

TOTP secrets are equivalent to passwords. Pasting a secret into any web tool — including this one — is a risk. This page runs the calculation locally and does not transmit, but you should treat the secret as compromised after use and consider rotating once you regain access.

Frequently asked questions

Can two authenticator apps show the same code at the same time?

Yes — if both have the same secret and parameters. TOTP is deterministic. Migrating to a new app without deleting the old one is fine; both will show identical codes until you remove one.

Why does the code keep changing if no one is logging in?

TOTP is time-based by design. The counter increments every 30 seconds (the period parameter). The change has nothing to do with use — it is the entire point of the algorithm. The 30-second window limits replay attacks if a code is stolen.

Is TOTP safer than SMS 2FA?

Yes, substantially. SMS can be intercepted (SIM swap, SS7 attacks, carrier insider threat). TOTP requires either the secret on your device or physical access to it. Both are weaker than hardware tokens (YubiKey, FIDO2), but TOTP is the right default for second factor when hardware is not feasible.

What is in an otpauth:// URI?

A standardized URI scheme: otpauth://totp/Issuer:user@example.com?secret=BASE32&issuer=Issuer&algorithm=SHA1&digits=6&period=30. The secret is base32. Issuer and user identify the account for display in authenticator UIs. The algorithm/digits/period are optional with the defaults shown.

How long is a typical TOTP secret?

RFC 4226 recommends 160 bits (20 bytes, 32 base32 characters). Many services use 80 or 128 bits. Anything below 80 bits is too short — brute force the secret instead of brute-forcing codes.

Can I reuse the same secret across multiple services?

Technically yes, but never do it. The secret is your only authenticator credential — if one service leaks it, every account using that secret is exposed. Use a separate secret per service; that is why setup ceremonies generate a new secret per enrollment.

Related tools

Password Generator

Generate strong random passwords with letters, numbers, symbols. Customizable length and complexity. Free secure password generator online

Passphrase Generator

Generate secure passphrases using Diceware and EFF wordlists. Create memorable yet strong passwords. Free online passphrase maker

QR Code Generator

Create QR codes for URLs, text, WiFi, vCard contacts. Customize colors and download PNG/SVG. Free online QR code maker with logo support

SSH Key Generator

Generate SSH key pairs (RSA, Ed25519) in your browser. Export in OpenSSH or PEM format. Secure client-side key generation. Free online SSH keygen tool

Data Breach Checker

Check if your email or password was exposed in a data breach. Uses Have I Been Pwned database. Check breach details and protect your accounts

Published · Updated · E-Utils editorial team