TOTP Generator - 2FA Code Generator

GenTools/TOTP Generator

Country Tools:

TOTP/2FA Generator

Security

Generate Time-based One-Time Password (TOTP) codes for testing 2FA implementations. Compatible with Google Authenticator and similar apps.

Generate New Secret

Account Label

Issuer

Current Code

Enter or Use Generated Secret

Enter a secret to generate codes

Settings

Algorithm

Digits

Period (seconds)

Secret Length

About TOTP

TOTP generates time-based codes that change every 30 seconds. The secret key should be stored securely and shared only during initial setup (usually via QR code). This tool is for testing purposes - in production, generate secrets server-side.

What is This Tool?

A TOTP/2FA generator creates Time-based One-Time Passwords compatible with Google Authenticator, Authy, and other TOTP apps. Generate secret keys, produce QR codes for enrollment, and verify TOTP codes — essential for testing two-factor authentication implementations.

TOTP (RFC 6238) generates 6-8 digit codes that change every 30 seconds. It combines a shared secret with the current Unix timestamp using HMAC-SHA1/SHA256/SHA512. The same algorithm runs in both the authenticator app and the server, producing matching codes without network communication.

Common Use Cases

2FA Implementation Testing

Generate TOTP secrets and verify codes when building two-factor authentication into your application.

QR Code Enrollment

Create otpauth:// URI QR codes that users scan with Google Authenticator, Authy, or 1Password for 2FA enrollment.

Recovery Code Testing

Test TOTP backup/recovery flows, time drift handling, and code expiration logic.

Security Auditing

Verify that your TOTP implementation uses adequate secret length (128+ bits) and handles time synchronization correctly.

Frequently Asked Questions

How does TOTP work?

HMAC(secret, floor(unix_time / 30)) produces a hash. 4 bytes are extracted using dynamic truncation, then converted to a 6-8 digit decimal code.

What is the secret format?

TOTP secrets are typically 20+ bytes encoded as Base32 (A-Z, 2-7). The QR code encodes an otpauth://totp/ URI containing the secret.

Why do codes sometimes fail?

Time drift between client and server. Most implementations accept codes from the previous and next 30-second windows (±30s tolerance).