liminfo

TOTP Generator

Free web tool: TOTP Generator

Algorithm Details

HMAC-SHA1 based TOTP (RFC 6238). Period: 30 seconds, Digits: 6. All computation is done client-side.

About TOTP Generator

The TOTP Generator produces live Time-based One-Time Passwords (TOTP) from a Base32-encoded secret key, following the RFC 6238 specification used by all major two-factor authentication (2FA) apps including Google Authenticator, Authy, and Microsoft Authenticator. You enter your Base32 secret key and the tool immediately starts generating the current 6-digit TOTP code, updating automatically every second. A color-coded progress bar shows how many seconds remain before the code expires and a new one is generated.

This tool is designed for developers building or testing 2FA integrations, system administrators validating TOTP secrets when setting up authenticator apps, and security professionals who need to verify TOTP codes without using a mobile device. It is also useful for recovering access to accounts when your authenticator app is unavailable — if you have saved your TOTP secret key, you can generate the current code here to log in.

Technically, the implementation follows RFC 6238 precisely. The Base32 secret key is decoded to raw bytes using the standard A–Z + 2–7 alphabet. The current Unix timestamp is divided by 30 (the period) to get the counter value, which is packed into a big-endian 8-byte array. HMAC-SHA1 is computed over the counter using the decoded key via the Web Crypto API (crypto.subtle.sign with HMAC-SHA1). A dynamic truncation extracts 4 bytes starting at the offset indicated by the last nibble of the HMAC output, and the 6-digit code is the result modulo 10^6, left-padded with zeros. The tool updates every second to show the correct code and the remaining time.

Key Features

  • Implements RFC 6238 TOTP with HMAC-SHA1, 30-second period, and 6-digit codes
  • Real-time display — code updates every second via setInterval
  • Color-coded countdown bar: green (>10s), yellow (<=10s), red (<=5s)
  • Accepts any standard Base32-encoded TOTP secret (A–Z and 2–7 characters)
  • One-click copy of the current TOTP code to clipboard
  • Shows remaining seconds before code expiry
  • 100% client-side using Web Crypto API HMAC-SHA1 — no server calls
  • No sign-up, no download, completely free with no usage limits

Frequently Asked Questions

What is TOTP and how does it work?

TOTP (Time-based One-Time Password) is a two-factor authentication algorithm defined in RFC 6238. It generates a 6-digit code by computing HMAC-SHA1 over a counter derived from the current Unix time divided by 30 (seconds), using a shared secret key. The code changes every 30 seconds. The server and the client both independently compute the same code because they share the secret and use the same time.

Where do I find my TOTP Base32 secret key?

When you enable 2FA on a website or service, it shows a QR code and usually also a text string like "JBSWY3DPEHPK3PXP" — that is the Base32 secret key. You should save this key securely when setting up 2FA because it is the only way to regenerate your codes if you lose your authenticator app. If you did not save it, you will need to disable and re-enable 2FA on the service to get a new secret.

Is this compatible with Google Authenticator and Authy?

Yes. This tool implements the same RFC 6238 standard used by Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and all other standard TOTP apps. If you enter the same Base32 secret key that you scanned with your authenticator app, you will see the same 6-digit code at any given moment.

Why does my TOTP code not match what my app shows?

TOTP codes are time-sensitive. If your device's clock is not synchronized with NTP (Network Time Protocol), the codes will be out of sync. Most modern devices auto-sync their clocks, but drift can cause mismatches. Also ensure you are entering the correct Base32 secret — even a single wrong character produces completely different codes.

What does the color of the progress bar mean?

The progress bar indicates time remaining before the current code expires. Green means more than 10 seconds remain — plenty of time to use the code. Yellow means 10 seconds or fewer remain — enter the code promptly. Red means 5 seconds or fewer remain — the code will expire very soon and you may want to wait for the next one to avoid a race condition.

Is it safe to enter my TOTP secret in this tool?

The tool processes the secret entirely in your browser using the Web Crypto API. Nothing is sent to any server. However, you should be cautious about entering production TOTP secrets in any online tool. This tool is best used for development testing, learning about TOTP, or recovering a code when your authenticator app is unavailable. Avoid using it routinely for high-security accounts.

What is the difference between TOTP and HOTP?

TOTP (Time-based OTP) derives the counter from the current time, so the code changes every 30 seconds regardless of how many times it is used. HOTP (HMAC-based OTP, RFC 4226) uses an incrementing counter that advances only when a code is used, so the code stays the same until used. TOTP is more common for 2FA apps because it does not require state synchronization between client and server.

Why is the TOTP period 30 seconds?

RFC 6238 recommends a 30-second period as a balance between security and usability. A shorter period would make codes expire before users can type them. A longer period would give attackers more time to use a stolen code. Most TOTP implementations allow a window of ±1 period (±30 seconds) to account for clock drift, meaning a code is valid for up to 90 seconds in practice.