Is my secret key sent to any server?

No. Everything runs locally in your browser using the Web Crypto API. Your secret key and generated codes never leave your device.

What format is the secret key?

TOTP secret keys use Base32 encoding (characters A–Z and 2–7). They are typically 16–32 characters long. You can find the key in your 2FA setup QR code or as a text backup code.

Why does my code not match my authenticator app?

Ensure your device clock is accurate — TOTP codes are time-sensitive. Also verify you are using the same settings (digits, step, algorithm) as your app. Most apps use 6 digits / 30s / SHA-1.

What is the difference between TOTP and HOTP?

HOTP (HMAC-based OTP) uses a counter that increments with each use. TOTP is derived from HOTP but uses the current Unix time divided by the time step as the counter, making codes automatically expire.

🔑

TOTP / 2FA Code Generator

Generate and verify time-based one-time passwords (TOTP) compatible with Google Authenticator and Authy. Runs entirely in your browser.

🔒 Security Tools Free Browser-based

Tool

Secret Key (Base32)

Digits

Time Step

Algorithm

Secret Key (Base32)

Code to Verify

What is TOTP?

TOTP (Time-Based One-Time Password) is the standard algorithm behind Google Authenticator, Authy and most 2FA apps. It generates a new numeric code every 30 seconds using your secret key and the current time, making it highly resistant to replay attacks.

TOTP Parameters

Parameter	Default	Description
Digits	6	Length of the OTP code
Time Step	30s	How often the code refreshes
Algorithm	SHA-1	HMAC hash function used
Secret	—	Shared Base32-encoded key

Compatibility

The default settings (6 digits, 30 second step, SHA-1) are compatible with Google Authenticator, Authy, Microsoft Authenticator and all major TOTP apps. Custom parameters may not be supported by all apps.

TOTP / 2FA Code Generator

What is TOTP?

TOTP Parameters

Compatibility

Frequently Asked Questions