TOTP/2FA Code Generator
Generate TOTP secrets and live rotating 2FA codes. All client-side.
How TOTP Works (RFC 6238)
TOTP is an extension of HOTP (HMAC-based One-Time Password, RFC 4226) that uses time as the moving factor instead of a counter. The algorithm works in four steps:
- Time step: Divide the current Unix timestamp by the period (default 30 seconds) to get an integer counter:
T = floor(time / 30) - HMAC: Compute HMAC-SHA1 of the counter using the shared secret key, producing a 20-byte hash.
- Truncation: Use the last 4 bits of the hash as an offset, then extract 4 bytes starting at that offset to get a 31-bit integer.
- Modulo: Take the integer modulo 106 to get a 6-digit code.
Because both the server and the authenticator app share the same secret and use the same clock, they independently derive the same code at the same time.
Why SMS 2FA Is Insecure
Despite its convenience, SMS-based two-factor authentication has critical vulnerabilities:
- SIM swapping: Attackers social-engineer mobile carriers into transferring your phone number to their SIM card. This is the most common attack vector, responsible for millions of dollars in cryptocurrency theft.
- SS7 vulnerabilities: The Signaling System 7 protocol (designed in the 1970s) allows interception of SMS messages at the network level. This has been demonstrated in real-world attacks.
- Phishing: Attackers can intercept SMS codes in real-time through phishing sites that proxy login requests to the real service.
TOTP-based apps (Google Authenticator, Authy, 1Password) eliminate these risks because the secret never leaves your device.
Setting Up 2FA on Popular Services
Most major services support TOTP-based 2FA:
- Google: Security settings → 2-Step Verification → Authenticator app
- GitHub: Settings → Password and authentication → Two-factor authentication
- AWS: IAM → Security credentials → Multi-factor authentication
- Microsoft: Security basics → Advanced security options → Two-step verification
Always save the backup codes provided during setup. Store them in a password manager or print them and keep them in a secure location.
Backup Code Best Practices
Backup codes are your safety net if you lose access to your authenticator app. Follow these practices:
- Store backup codes in a different location than your authenticator app (not the same phone).
- Use a password manager with a strong master password to store backup codes digitally.
- Print backup codes and store them in a fireproof safe or safety deposit box.
- Regenerate backup codes periodically and after using any of them.
TOTP vs FIDO2/WebAuthn
| Property | TOTP | FIDO2/WebAuthn |
|---|---|---|
| Phishing resistance | Low (codes can be phished) | High (origin-bound) |
| Device requirement | Any TOTP app | Security key or platform authenticator |
| User experience | Type 6-digit code | Touch/biometric |
| Cost | Free (software) | $25-70 per hardware key |
| Adoption | Very high | Growing |
| Offline support | Yes | Yes (hardware keys) |
For maximum security, use FIDO2 hardware keys as your primary 2FA method and TOTP as a backup. For most users, TOTP provides an excellent balance of security and convenience.
Frequently Asked Questions
How does TOTP work?
TOTP (Time-based One-Time Password, RFC 6238) combines a shared secret key with the current time to produce a short-lived code. The algorithm: (1) divide current Unix time by 30 seconds to get a time step, (2) HMAC-SHA1 the time step with the secret key, (3) extract a 6-digit code from the HMAC output. Because both the server and your authenticator app share the same secret and clock, they independently generate the same code.
Is this tool safe to use for real 2FA secrets?
This tool generates secrets and codes entirely in your browser — nothing is transmitted to any server. However, for production use, we recommend setting up TOTP through your service provider's official flow (which typically involves scanning a QR code). This tool is ideal for testing, development, and understanding how TOTP works.
Why are TOTP codes only valid for 30 seconds?
The 30-second window balances security and usability. Shorter windows would frustrate users who type slowly, while longer windows increase the risk of code interception and replay attacks. Most implementations accept codes from the adjacent time steps (±1) to accommodate clock drift, effectively giving you a 90-second validity window.
Why is SMS 2FA less secure than TOTP?
SMS-based 2FA is vulnerable to: SIM swapping (an attacker convinces your carrier to transfer your number), SS7 attacks (intercepting SMS at the network level), social engineering of carrier support staff, and malware that reads incoming SMS. TOTP secrets never leave your device, making them immune to all these attacks.
What happens if I lose my authenticator device?
If you lose your device, you'll need backup codes (most services provide 8-10 one-time recovery codes during 2FA setup). Store these securely (password manager or printed copy in a safe). Some services also support backup via: a second authenticator app, hardware security keys (FIDO2), or account recovery through identity verification.