TOTP Generator

Generate Time-Based One-Time Passwords (RFC 6238) from any base32 secret key. Useful for testing 2FA integrations, verifying authenticator setups, and understanding how TOTP works. Your secret key never leaves your browser.

––––––
Enter a secret key to start
🔒 Your secret key never leaves your browser. All computation is local using the Web Cryptography API.

What is TOTP?

TOTP (Time-Based One-Time Password) is an authentication standard defined in RFC 6238. It generates a short numeric code — typically 6 digits — that changes every 30 seconds. The code is calculated using:

Both the authenticator app and the server perform the same calculation independently. If the codes match, authentication succeeds. Because codes expire every 30 seconds, stolen codes are useless shortly after.

How to use this TOTP generator

  1. Enter your base32 secret key in the field above (or click "Generate Test Secret" to try with a random key).
  2. Select the code length (6 or 8 digits) and period (30 or 60 seconds) to match your service.
  3. The current TOTP code is displayed and auto-refreshes. A countdown bar shows time until the next refresh.
  4. Copy the code and paste it into your authentication flow.

TOTP vs HOTP — what's the difference?

TOTP (Time-Based OTP) generates codes using the current time as the counter input, refreshing every 30–60 seconds. Expired codes cannot be reused, and there's no counter synchronization needed between client and server.

HOTP (HMAC-Based OTP) uses an incrementing counter instead of time. The counter must stay synchronized between the authenticator and the server — drift causes authentication failures. TOTP is now the dominant standard because it's simpler and more secure.

Frequently Asked Questions

TOTP is a time-based one-time password standard (RFC 6238). It generates a 6-digit code every 30 seconds from a shared secret key and the current time, using HMAC-SHA1. It's used by all major authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) as a second factor in 2FA.

Enter your base32 secret key — the text code shown alongside a QR code during 2FA setup. The generator computes and displays the current 6-digit code, refreshing every 30 seconds. This is useful for testing 2FA setups, building authentication flows, or verifying that a secret key is correct.

TOTP uses the current time as its counter (codes refresh every 30s). HOTP uses an incrementing counter that must be synchronized between app and server. TOTP is preferred because expired codes can't be replayed and there's no synchronization issue. Most modern 2FA systems use TOTP.

Yes — PassFortify processes your secret key entirely in your browser. There are no network requests to any server. The computation uses the browser's built-in Web Cryptography API. That said, treat your TOTP secret like a password: never screenshot it or share it, since anyone with your secret can generate valid codes.