TOTP Generator

🔒 Runs entirely in your browser. Nothing is sent anywhere.

Generate 2FA codes from a TOTP secret. RFC 6238 compliant — updates every 30 seconds.

------

Next: ------

Save Secret

⚠ Secrets are stored in your browser only. Do not use this as your primary 2FA backup.

How It Works

What Is TOTP?

TOTP (Time-based One-Time Password) is the algorithm behind most authenticator apps. It's defined in RFC 6238 and used by Google Authenticator, Authy, 1Password, and most MFA implementations.

How Codes Are Generated

The algorithm takes a shared secret and the current Unix timestamp, divides it into 30-second windows, then runs HMAC-SHA1. The result is truncated to 6 digits. Both your device and the server compute the same code independently.

30-Second Windows

Each code is valid for exactly 30 seconds. The countdown ring shows how much time remains. The "Next" code preview lets you prepare if the current code is about to expire.

Why TOTP Beats SMS 2FA

SMS codes can be intercepted via SIM-swapping attacks. TOTP codes are generated locally — no SMS, no network request, no telecom dependency. The secret is shared once during setup (usually by scanning a QR code).

Base32 Secret Format

TOTP secrets are Base32 encoded — uppercase letters A–Z and digits 2–7. They look like JBSWY3DPEHPK3PXP. You can find yours in your account's 2FA setup page.

Privacy: your secret never leaves the browser. Saved secrets are stored in localStorage on your device only — not on any server.