TOTP Generator

TOTP is a two-factor authentication algorithm defined in RFC 6238. It generates a short numeric code (usually 6 digits) from a shared secret key and the current time. The code changes every 30 seconds. TOTP is used by Google Authenticator, Authy, Microsoft Authenticator, 1Password, and most 2FA systems. The server and client must share the same secret key and be synchronized within ~30 seconds.

TOTP = HMAC-SHA1(secret, floor(timestamp / period)). The secret is a Base32-encoded key shared during setup. The timestamp is Unix time in seconds. The period is typically 30 seconds. The HMAC output is truncated to a 6-digit number using dynamic truncation (RFC 4226). Because both server and client compute the same HMAC with the same inputs, the codes match without any network communication.

This tool runs entirely in your browser — your secret key is never sent to any server. However, for daily 2FA use, dedicated authenticator apps (Google Authenticator, Authy, 1Password) are more practical because they securely store multiple secrets, work offline, and have backup/sync features. Use this tool for testing, development, or emergency code generation.

Base32 encodes binary data using 32 ASCII characters (A-Z and 2-7). It is used for TOTP secrets because it is case-insensitive, human-readable, and avoids confusing characters (0/O, 1/l/I). A typical TOTP secret is 16-32 Base32 characters (80-160 bits). When you scan a QR code during 2FA setup, the URI contains the Base32-encoded secret.

Most likely causes: 1) Time sync — your device clock is off by more than 30 seconds. 2) Wrong secret — copy the exact Base32 key without spaces. 3) Different algorithm — some services use SHA-256 or SHA-512 instead of SHA-1. 4) Different digit count — some use 8 digits instead of 6. 5) Different period — some use 60 seconds instead of 30. This tool uses the standard SHA-1/6-digit/30-second configuration.