EncryptCodecencryptcodec
Tools/TOTP

TOTP Secret Generator

Generate a TOTP secret for two-factor authentication. Scan the QR code with Google Authenticator, Authy, or 1Password to set up 2FA.

All processing happens in your browser — nothing is sent to our servers
Generating...
Scan with authenticator app
Secret Key (base32)
KZZQ 6OEK FAQA 72GG WFMU R7Z3 K3NC 76BM
otpauth:// URI
otpauth://totp/MyApp:user%40example.com?secret=KZZQ6OEKFAQA72GGWFMUR7Z3K3NC76BM&issuer=MyApp&algorithm=SHA1&digits=6&period=30
Algorithm
SHA-1
Digits
6
Period
30s

How to Add to Your App

1. Generate the secret and store it securely in your database (encrypted at rest) linked to the user. 2. Show this QR code to the user once during setup — they scan it with their authenticator app. 3. On login, prompt for the 6-digit code and verify it server-side using a TOTP library (e.g. speakeasy for Node, pyotp for Python, GoogleAuthenticator for Java). Never regenerate the secret after setup — that invalidates the user's authenticator.

How it works
TOTP Two-Factor Authentication (RFC 6238)
01Shared secret

20-byte random secret established once — stored in Base32 in the authenticator app

02Time counter T

T = floor(unix_timestamp / 30) — a counter that increments every 30 seconds

03HMAC-SHA1

HMAC-SHA1(secret, T as 8-byte big-endian) — produces a 20-byte MAC

04Dynamic truncation

Last nibble of HMAC is the offset; 4 bytes starting at that offset are extracted

056-digit OTP

(extracted_value & 0x7FFFFFFF) mod 10^6 — the code shown in your authenticator

Spec: RFC 6238 (TOTP), RFC 4226 (HOTP), RFC 2104 (HMAC)

Codes are valid for ±1 time step (30s window) to allow for clock skew. The secret must be protected with the same care as a password — it's the key to all future OTPs.

Frequently Asked Questions

Keep learning

Token Spotter
Identify token types including TOTP
Game
2FA with TOTP Guide
Add 2FA to your app
Guide