TOTP / OTP Code Generator for Two-Factor Authentication

Generate RFC 6238 time-based one-time passwords (TOTP) for two-factor authentication testing. Create setup QR codes for Google Authenticator, Authy, Microsoft Authenticator, and other 2FA apps. Configure secret keys, time periods, digit count, and hash algorithms (SHA-1, SHA-256, SHA-512).

OTP Code Generator: Enter a secret key or generate one to create time-based (TOTP) or counter-based (HOTP) one-time passwords. The 6-digit code refreshes every 30 seconds. Useful for testing 2FA implementations.

OTP code generator

Generate and validate time-based OTP (one time password) for multi-factor authentication. totp generator, totp qr code generator.

Secret (base32)

Technical details

Secret in hexadecimal

9f46f04e3d53f4877017

Epoch

1780307250

Iteration — Count

59343575

Padded hex

00000000038982d7

Key Takeaways

Generates TOTP (time-based) and HOTP (counter-based) one-time passwords
Standard 6-digit codes that refresh every 30 seconds (TOTP)
Compatible with Google Authenticator, Authy, and other 2FA apps
Uses HMAC-SHA1, SHA256, or SHA512 algorithms per RFC 6238
Useful for developers testing 2FA integration in their applications

What is OTP Code Generator?

OTP Code Generator — An OTP Generator is a free tool that creates one-time passwords and TOTP/HOTP codes for two-factor authentication testing and development.

Generate TOTP (Time-based One-Time Password) codes and 2FA setup QR codes with this free online tool. Enter or generate a Base32 secret key, configure the time period (default 30 seconds), digit count (6 or 8), and hash algorithm (SHA-1, SHA-256, SHA-512), then see the current OTP code with a live countdown timer. Create otpauth:// setup URIs and QR codes compatible with Google Authenticator, Authy, Microsoft Authenticator, 1Password, and other TOTP apps. Essential for developers building two-factor authentication into web and mobile applications, QA teams testing 2FA login flows, and support teams debugging OTP mismatch issues.

How to Use OTP Code Generator

1
Enter an existing Base32 secret key, or click Generate to create a new one.
2
Configure settings: time period (30s default), digits (6), and hash algorithm (SHA-1).
3
View the current TOTP code with countdown timer, plus previous and next window codes.
4
Scan the QR code with Google Authenticator or Authy to verify your 2FA implementation works.

Key Features

RFC 6238 TOTP code generation with live countdown timer

QR code and otpauth:// URI generation for authenticator app setup

Configurable secret key, time period, digit count, and hash algorithm

Current, previous, and next time window code display for drift debugging

Compatible with Google Authenticator, Authy, Microsoft Authenticator, and 1Password

Use Cases

Testing two-factor authentication implementations in web and mobile apps

Generating TOTP setup QR codes for authenticator app enrollment flows

Debugging OTP mismatch issues caused by clock drift or configuration errors

Validating 2FA backup and recovery workflows during security audits

About OTP Code Generator

How TOTP Works (RFC 6238)

TOTP combines a shared secret key (Base32-encoded) with the current Unix timestamp divided by a time period (typically 30 seconds) to produce a counter value T = floor((current_time - T0) / period). The tool then computes HMAC(secret, T), truncates the result via dynamic offset to a 31-bit integer, and takes that integer modulo 10⁶ (or 10⁸) to produce a 6 or 8-digit code. Both the server and the authenticator app perform this calculation independently — if the codes match, authentication succeeds. The standard allows for a ±1 window tolerance (server accepts the previous and next code as well) to handle minor clock drift between devices.

otpauth:// URI Anatomy

When you scan a 2FA QR code, it encodes an otpauth:// URI in this format: otpauth://totp/Issuer:account@example.com?secret=BASE32SECRET&issuer=Issuer&algorithm=SHA1&digits=6&period=30. The Issuer:account path is what appears in your authenticator app as the entry name. The query parameters tell the app how to compute codes — most apps default to SHA-1 / 6 digits / 30 seconds if those parameters are omitted (matching Google Authenticator's original 2010 implementation). For HOTP, the URI uses otpauth://hotp/... with a counter= parameter instead of period=.

SHA-1 vs SHA-256 vs SHA-512

SHA-1 is the universal default — every authenticator app supports it, and it's what Google Authenticator originally implemented. Despite SHA-1 being deprecated for collision-resistance applications (TLS, digital signatures), HMAC-SHA1 remains cryptographically secure for TOTP because HMAC's security relies on PRF behavior, not collision resistance. SHA-256 and SHA-512 are stronger algorithms used by some enterprise systems (e.g., Microsoft Authenticator Premium, some banking 2FA). Compatibility caveat: if you select SHA-256 or SHA-512, the authenticator app must also support that algorithm — Google Authenticator (the original Android version pre-2020) and many older apps only support SHA-1.

Debugging "Invalid Code" Errors

When 2FA codes don't match, check in this order:(1) Device clock sync — open Settings → Date & Time and enable Automatic / NTP. Even 30 seconds of drift will desync codes. (2) Base32 secret encoding — Base32 is case-insensitive but padding (=) and lowercase variations cause silent failures. (3) Hash algorithm mismatch — SHA-1 vs SHA-256 produce completely different codes from the same secret. (4) Time period — most services use 30 seconds; some use 60. (5) Digit count — 6 vs 8 digits. (6) Counter desync (HOTP only) — if you press "next code" in your app more than the server expects, codes drift permanently.

TOTP vs WebAuthn / Passkeys

TOTP is a shared-secret system — both the server and your authenticator app know the same Base32 secret. This means TOTP is vulnerable to phishing (an attacker who tricks you into typing a code into a fake login page can replay it within 30 seconds) and to server-side database breaches (if an attacker steals the secret, they can generate codes forever). WebAuthn / passkeys use public-key cryptography — the server only stores a public key, and the private key never leaves your device. Best practice for high-value accounts: use passkeys / WebAuthn as the primary 2FA, with TOTP as a backup. For everything else, TOTP is dramatically better than SMS-based 2FA (which is vulnerable to SIM-swap attacks).

Common Use Cases

Developers building 2FA into their app use this to test setup flows end-to-end without needing a real authenticator app. QA teams use the previous / current / next window display to debug clock-drift bugs in TOTP verification code. Support teams use it to recover stuck accounts where a user has the secret but lost their authenticator app. Security researchers and red teams use it to verify TOTP implementations against RFC 6238 reference vectors.

Frequently Asked Questions

How does TOTP two-factor authentication work?: TOTP combines a shared secret key with the current time (divided into 30-second windows) using HMAC to generate a short-lived 6-digit code. Both the authenticator app and server compute the same code independently — if they match, login succeeds.
Which authenticator apps are compatible with this tool?: All TOTP-compatible apps: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, FreeOTP, and any app that supports otpauth:// URIs and RFC 6238.
Why does my authenticator show a different code than this tool?: Common causes: clock drift (sync your device time via NTP), wrong secret key encoding, algorithm mismatch (SHA-1 vs SHA-256), different time period (30s vs 60s), or digit count mismatch (6 vs 8 digits).
What is the difference between TOTP and HOTP?: TOTP is time-based — codes change every 30 seconds. HOTP is counter-based — codes change only when the counter increments. TOTP is more common because it doesn't require counter synchronization between devices.
Can I use this to set up 2FA for my own application?: Yes. Generate a Base32 secret, create a QR code with the otpauth:// URI, let users scan it with their authenticator app, and verify codes on your server using a TOTP library (speakeasy for Node.js, pyotp for Python).
Is TOTP secure enough for production authentication?: Yes. TOTP is a proven standard used by Google, GitHub, AWS, and most major services. For highest security, combine TOTP with phishing-resistant methods like WebAuthn/passkeys as a primary factor.
How do I generate an OTP QR code?: Enter your service name and secret (or click 'generate random secret') above. The tool produces a QR code following the standard otpauth://totp/Issuer:account?secret=BASE32SECRET&issuer=Issuer URI format. Scan it with Google Authenticator, Authy, 1Password, Bitwarden, or any RFC 6238 TOTP authenticator. The same code can be entered manually if scanning isn't possible — useful for cross-device setup.
Can I generate a TOTP QR code for Google Authenticator?: Yes. The QR code uses the otpauth:// URI scheme that Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and Aegis all support. Just scan and the account is added. The tool defaults to 6-digit codes with a 30-second period (the standard Google uses), but you can change to 8 digits or 60-second period for compatibility with services that require those settings.
What's the difference between HOTP and TOTP?: HOTP (HMAC-based One-Time Password, RFC 4226) generates codes from a counter that increments each use — the server and client must stay in sync. TOTP (Time-based, RFC 6238) generates codes from the current Unix time divided by a period (usually 30 seconds) — no counter sync needed. Google Authenticator and most modern apps use TOTP. HOTP is rare today but still seen in hardware tokens (YubiKey OATH-HOTP mode).
Is the secret stored anywhere?: No. The secret generation and QR-code rendering both happen client-side in your browser. Nothing is sent to a server. The secret only leaves your browser when YOU choose to scan it into an authenticator app — which is encrypted at rest in that app. You can verify zero network calls in DevTools → Network.
Why does Google Authenticator show 'Invalid code' even though the secret is correct?: The #1 cause is device clock drift. Open Settings → Date & Time and enable 'Set automatically' (NTP sync). The #2 cause is algorithm mismatch — Google Authenticator only supports SHA-1 by default; if the service is using SHA-256 you'll get invalid-code errors even with the right secret. Use this tool's algorithm dropdown to confirm which one the service expects.
What's the maximum 'safe' clock drift for TOTP?: Most servers accept the current code plus the previous and next 30-second window (±1 step), giving ~60 seconds of drift tolerance. Some strict implementations only accept the current window (no tolerance). If you're consistently seeing rejected codes, your device clock is off by 30+ seconds — sync it via NTP.
Can I export my Google Authenticator secrets to use here?: Yes. Open Google Authenticator → menu → Transfer accounts → Export accounts. It produces a QR code containing an otpauth-migration:// URI with all your secrets. Decode that QR (you can use our QR Code Reader tool) to extract each Base32 secret, then paste it here. Useful when migrating from Google Authenticator to Authy, 1Password, or a hardware key.
Is this tool RFC 6238 compliant?: Yes. The generated codes match the official RFC 6238 reference test vectors exactly (you can verify with the standard test secret '12345678901234567890' and known timestamps). Compatible with every spec-compliant TOTP implementation: GitHub, AWS, Google, Microsoft, Cloudflare, and thousands of others.

Loading your tools...

How TOTP Works (RFC 6238)

otpauth:// URI Anatomy

SHA-1 vs SHA-256 vs SHA-512

Debugging "Invalid Code" Errors

TOTP vs WebAuthn / Passkeys

Common Use Cases

Frequently Asked Questions

How does TOTP two-factor authentication work?

TOTP combines a shared secret key with the current time (divided into 30-second windows) using HMAC to generate a short-lived 6-digit code. Both the authenticator app and server compute the same code independently — if they match, login succeeds.

Which authenticator apps are compatible with this tool?

All TOTP-compatible apps: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, FreeOTP, and any app that supports otpauth:// URIs and RFC 6238.

Why does my authenticator show a different code than this tool?

Common causes: clock drift (sync your device time via NTP), wrong secret key encoding, algorithm mismatch (SHA-1 vs SHA-256), different time period (30s vs 60s), or digit count mismatch (6 vs 8 digits).

What is the difference between TOTP and HOTP?

TOTP is time-based — codes change every 30 seconds. HOTP is counter-based — codes change only when the counter increments. TOTP is more common because it doesn't require counter synchronization between devices.

Can I use this to set up 2FA for my own application?

Yes. Generate a Base32 secret, create a QR code with the otpauth:// URI, let users scan it with their authenticator app, and verify codes on your server using a TOTP library (speakeasy for Node.js, pyotp for Python).

Is TOTP secure enough for production authentication?

Yes. TOTP is a proven standard used by Google, GitHub, AWS, and most major services. For highest security, combine TOTP with phishing-resistant methods like WebAuthn/passkeys as a primary factor.

How do I generate an OTP QR code?

Enter your service name and secret (or click 'generate random secret') above. The tool produces a QR code following the standard otpauth://totp/Issuer:account?secret=BASE32SECRET&issuer=Issuer URI format. Scan it with Google Authenticator, Authy, 1Password, Bitwarden, or any RFC 6238 TOTP authenticator. The same code can be entered manually if scanning isn't possible — useful for cross-device setup.

Can I generate a TOTP QR code for Google Authenticator?

Yes. The QR code uses the otpauth:// URI scheme that Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and Aegis all support. Just scan and the account is added. The tool defaults to 6-digit codes with a 30-second period (the standard Google uses), but you can change to 8 digits or 60-second period for compatibility with services that require those settings.

What's the difference between HOTP and TOTP?

HOTP (HMAC-based One-Time Password, RFC 4226) generates codes from a counter that increments each use — the server and client must stay in sync. TOTP (Time-based, RFC 6238) generates codes from the current Unix time divided by a period (usually 30 seconds) — no counter sync needed. Google Authenticator and most modern apps use TOTP. HOTP is rare today but still seen in hardware tokens (YubiKey OATH-HOTP mode).

Is the secret stored anywhere?

No. The secret generation and QR-code rendering both happen client-side in your browser. Nothing is sent to a server. The secret only leaves your browser when YOU choose to scan it into an authenticator app — which is encrypted at rest in that app. You can verify zero network calls in DevTools → Network.

Why does Google Authenticator show 'Invalid code' even though the secret is correct?

The #1 cause is device clock drift. Open Settings → Date & Time and enable 'Set automatically' (NTP sync). The #2 cause is algorithm mismatch — Google Authenticator only supports SHA-1 by default; if the service is using SHA-256 you'll get invalid-code errors even with the right secret. Use this tool's algorithm dropdown to confirm which one the service expects.

What's the maximum 'safe' clock drift for TOTP?

Most servers accept the current code plus the previous and next 30-second window (±1 step), giving ~60 seconds of drift tolerance. Some strict implementations only accept the current window (no tolerance). If you're consistently seeing rejected codes, your device clock is off by 30+ seconds — sync it via NTP.

Can I export my Google Authenticator secrets to use here?

Yes. Open Google Authenticator → menu → Transfer accounts → Export accounts. It produces a QR code containing an otpauth-migration:// URI with all your secrets. Decode that QR (you can use our QR Code Reader tool) to extract each Base32 secret, then paste it here. Useful when migrating from Google Authenticator to Authy, 1Password, or a hardware key.

Is this tool RFC 6238 compliant?

Yes. The generated codes match the official RFC 6238 reference test vectors exactly (you can verify with the standard test secret '12345678901234567890' and known timestamps). Compatible with every spec-compliant TOTP implementation: GitHub, AWS, Google, Microsoft, Cloudflare, and thousands of others.

Tools

Finance

AI

Media

Marketing

More

TOTP / OTP Code Generator for Two-Factor Authentication

OTP code generator

Technical details

Key Takeaways

What is OTP Code Generator?

How to Use OTP Code Generator

Key Features

Use Cases

About OTP Code Generator

How TOTP Works (RFC 6238)

otpauth:// URI Anatomy

SHA-1 vs SHA-256 vs SHA-512

Debugging "Invalid Code" Errors

TOTP vs WebAuthn / Passkeys

Common Use Cases

Frequently Asked Questions

TOTP / OTP Code Generator for Two-Factor Authentication

OTP code generator

Technical details

Key Takeaways

What is OTP Code Generator?

How to Use OTP Code Generator

Key Features

Use Cases

About OTP Code Generator

How TOTP Works (RFC 6238)

otpauth:// URI Anatomy

SHA-1 vs SHA-256 vs SHA-512

Debugging "Invalid Code" Errors

TOTP vs WebAuthn / Passkeys

Common Use Cases

Frequently Asked Questions