TOTP (Time-based One-Time Password, RFC 6238) generates a short numeric code that changes every 30 seconds. It is the algorithm used by authenticator apps like Google Authenticator, Authy, and 1Password for two-factor authentication.

What is a Base32 secret?

When you set up 2FA on a website, the site gives you a QR code and often a "manual entry key". That key is your Base32-encoded TOTP secret - a string of letters and digits from the Base32 alphabet (A–Z, 2–7).

Is it safe to paste my TOTP secret here?

This tool runs entirely in your browser - no data is sent to any server. However, your TOTP secret is the master key to your 2FA. We strongly recommend using a dedicated authenticator app for production accounts and only using this tool for testing or development secrets.

Why is SHA-1 the default algorithm?

Most websites that use TOTP use SHA-1 per the original RFC 6238 specification and Google Authenticator compatibility. SHA-256 and SHA-512 are supported by some services and offer stronger cryptographic guarantees, but are less common.

Why does my code not match my authenticator app?

Ensure your Base32 secret is entered exactly as shown (spaces and hyphens are ignored). Check that the period (30s is standard), digits (6 is standard), and algorithm (SHA-1 is standard) match the service settings. TOTP is time-sensitive - make sure your system clock is accurate.

TOTP Code Generator (RFC 6238)

What is TOTP?

TOTP (Time-based One-Time Password) is defined in RFC 6238 and builds on HOTP (RFC 4226). It generates a short numeric code that refreshes every 30 seconds (or configurable period) using a shared Base32 secret and the current UTC time. Authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator implement TOTP.

How TOTP works

The algorithm has three steps. First, the current Unix timestamp is divided by the period (30 seconds) and truncated to produce a counter value T. Second, HMAC-SHA1 (or SHA-256/SHA-512) is computed over the 8-byte big-endian encoding of T, using the decoded Base32 secret as the key. Third, a dynamic truncation step extracts 4 bytes from the HMAC output and reduces them modulo 10⁶ (or 10⁸ for 8-digit codes) to produce the final code.

Privacy and security

All TOTP computation happens locally in your browser using the native Web Crypto API. Your secret key is never transmitted anywhere. However, your TOTP secret is equivalent to your two-factor authentication. Anyone who has it can generate valid codes. Only enter test or development secrets here, and use a dedicated authenticator app for real accounts.

Finding your Base32 secret

When you enable 2FA on a website, the setup page shows a QR code and usually a "Manual entry key" or "Secret key" link. This key is your Base32-encoded TOTP secret. It consists of uppercase letters A–Z and digits 2–7.

Common TOTP app comparison

App	Backup / sync	Multi-device	Notes
Google Authenticator	Limited (Google Account sync added 2023)	Yes (after sync)	Simple; widely supported; early versions had no backup
Authy	Encrypted cloud backup	Yes	Most convenient; cloud backup is convenient but a trust trade-off
Microsoft Authenticator	Encrypted cloud backup	Yes	Integrates well with Microsoft accounts; also supports push 2FA
YubiKey (hardware)	N/A (hardware token)	Multiple keys recommended	Highest security; phishing-resistant; requires physical device

Cloud-backup apps trade some security for convenience. A cloud-synced authenticator is easier to restore after a lost phone, but the backup itself becomes a target. For highest security, use a hardware key or an app with no cloud sync.

What happens when clocks drift

TOTP requires the client and server clocks to be closely synchronized. The TOTP standard allows servers to accept codes from the ±1 adjacent time window (i.e., codes valid up to 30 seconds before or after the current window), providing a 90-second acceptance window.

If your clock drifts beyond 90 seconds, valid codes will be rejected. To resync:

Windows: w32tm /resync in an elevated command prompt.
macOS: System Settings -> General -> Date & Time -> toggle "Set automatically."
Mobile: Settings -> General -> Date & Time -> toggle "Set automatically."

TOTP vs. SMS 2FA

TOTP is significantly more resistant to common attacks than SMS-based two-factor authentication:

SIM-swapping: attackers social-engineer mobile carriers into transferring your phone number to a SIM they control, intercepting all SMS codes. TOTP codes are not delivered via the carrier - they are generated locally - so SIM-swapping has no effect.
SS7 interception: the telecom signaling protocol has known vulnerabilities that sophisticated attackers can exploit to intercept SMS. TOTP is immune.
Phishing: both TOTP and SMS codes can be phished in real-time by adversary-in-the-middle attacks. Hardware security keys (FIDO2/WebAuthn) are the only phishing-resistant 2FA option.

Even imperfect TOTP is a major security improvement over SMS 2FA. Enable TOTP wherever it is offered, and reserve hardware keys for your most critical accounts.