TOTP Generator & Validator

You’re implementing two-factor authentication in your app and need to verify that your TOTP implementation generates the correct codes. Or you’ve lost access to your authenticator app and have the secret key backed up — you need to generate the current code. This tool generates and validates TOTP codes from any base32 secret key.

Why This Tool

Testing TOTP implementations usually means switching between your code editor, an authenticator app, and RFC 6238 documentation. This tool shows the current TOTP code for any secret key with a live countdown timer, validates codes you enter, and lets you adjust parameters (time step, digits, algorithm). It’s a debugging companion for 2FA implementations. Everything runs in your browser — your secrets never leave your device.

What Is TOTP?

TOTP (Time-Based One-Time Password) is an algorithm defined in RFC 6238 that generates short-lived numeric codes from a shared secret and the current time. It’s the standard behind apps like Google Authenticator, Authy, and Microsoft Authenticator.

How TOTP Works

1. Server and client share a secret key (usually encoded in base32)
2. Both divide current Unix time by the time step (default: 30 seconds)
3. The resulting counter value is HMAC-signed with the secret key
4. A 6- or 8-digit code is extracted from the HMAC result via dynamic truncation

TOTP = Truncate(HMAC-SHA1(secret, floor(time / 30)))

Since both sides use the same secret and the same clock, they generate the same code at the same time.

TOTP Parameters

Most services use the defaults (SHA-1, 6 digits, 30 seconds). Some high-security services use SHA-256 or 8-digit codes.

The otpauth:// URI Format

QR codes for authenticator apps encode a URI:

otpauth://totp/Example:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=SHA1&digits=6&period=30

Security Considerations

• Never share your TOTP secret keys — anyone with the secret can generate valid codes
• TOTP codes are valid for one time step (30 seconds) plus a small clock-skew window
• Use this tool for testing only — for production authentication, use your authenticator app
• This tool runs entirely in your browser. Your secret keys are never sent to any server.

Common Issues in TOTP Implementations

1. Clock drift: Server and client clocks must be synchronized. Allow ±1 time step window.
2. Base32 encoding: Secrets must be valid base32. Common mistake: using base64 instead.
3. Padding: Base32 padding characters (=) may or may not be included — handle both.
4. Replay prevention: Each code should only be accepted once to prevent replay attacks.

Frequently Asked Questions

What is the difference between TOTP and HOTP? TOTP uses time as the counter (codes expire after 30 seconds). HOTP uses an incrementing counter (codes don’t expire until used). TOTP is more widely used because it doesn’t require counter synchronization between server and client.

Can I use this to recover my 2FA codes? Only if you have the original secret key (the base32 string or the QR code). If you’ve lost both the authenticator app and the secret key, you need to use recovery codes or contact the service provider.

Why is my generated code different from my authenticator app? Check: (1) the secret key matches exactly, (2) your device clock is accurate, (3) the algorithm and digit count match the service’s settings. Clock skew of more than 30 seconds will cause mismatches.

Is SHA-1 still secure for TOTP? Yes, for TOTP purposes. The known weaknesses of SHA-1 relate to collision attacks, not HMAC-based key derivation. RFC 6238 explicitly uses HMAC-SHA-1 as the default, and it remains secure for this specific use case.