OTP Generator

Debug TOTP/2FA

OTP Generator

Debug TOTP/2FA

Secret (Base32)

30s remaining

TOTP Generator

Debug and generate Time-based One-Time Passwords (MFA codes) using a secret key.

How to Use

Enter your Base32 secret to generate the current code.

Examples to try

Use these sample inputs and outputs with OTP Generator.

-Example 1: Start with a small input to validate the format.
-Example 2: Try a real-world payload to confirm the output.
-Example 3: Compare the result against your expected structure.

Common pitfalls

Avoid these mistakes when using OTP Generator.

-Mixing formats or encodings in a single input.
-Copying output without reviewing edge cases.
-Skipping validation before sharing the result.

Frequently Asked Questions

Is it like Google Authenticator?

Yes, it uses the same standard algorithm.

Is it free to use?

Yes, this tool is free to use.

What time step is used?

30-second steps by default.

Can I generate 8-digit codes?

Yes, choose the digits setting.

About OTP Generator

Use OTP Generator to Debug TOTP/2FA. The tool runs in your browser for fast results and keeps your data local.

How to Use

1. Add your input or data.
2. Adjust options if needed.
3. Review the result and copy it.

What is TOTP?

TOTP (Time-based One-Time Password) is a two-factor authentication algorithm that generates temporary codes based on the current time and a shared secret key. TOTP codes are typically 6 digits, change every 30 seconds, and are used by apps like Google Authenticator, Authy, and Microsoft Authenticator. The algorithm (RFC 6238) combines the secret key with the current Unix timestamp divided by 30, then applies HMAC-SHA1 hashing. TOTP provides strong security for account protection, requiring both something you know (password) and something you have (device with TOTP app). Understanding TOTP is essential for implementing multi-factor authentication and debugging MFA issues.

Common Use Cases

TOTP is essential for multi-factor authentication and security. Developers implement TOTP for user account protection in web applications. Security teams test MFA implementations and troubleshoot authentication issues. System administrators set up TOTP for server and VPN access. Users recover access when authenticator apps are lost or reset. Developers debug TOTP integration with third-party services. Penetration testers verify TOTP implementation security. Backup and recovery teams generate emergency access codes.

Implementing MFA for user accounts
Testing and debugging TOTP implementations
Server and VPN access authentication
Account recovery when authenticator lost
Debugging third-party TOTP integrations
Security testing of MFA systems
Emergency access code generation
Migrating TOTP secrets between devices

Best Practices & Tips

Store TOTP secrets securely—they provide full account access if compromised. Use Base32 encoding for secrets as per RFC standard. Implement time synchronization tolerance (±1 period) for clock skew. Provide backup codes for account recovery if TOTP device is lost. Use QR codes for easy secret transfer to authenticator apps. Implement rate limiting to prevent brute force attacks on TOTP codes. Allow users to disable TOTP only after verifying identity. Test TOTP implementation with multiple authenticator apps for compatibility.

Store secrets securely—they grant full access
Use Base32 encoding per RFC standard
Implement ±1 period tolerance for clock skew
Provide backup codes for device loss
Use QR codes for easy secret transfer
Rate limit to prevent brute force attacks
Require identity verification to disable TOTP
Test with multiple authenticator apps

Troubleshooting Common Issues

If TOTP codes do not work, verify device time is synchronized—clock skew causes mismatches. If codes are rejected, check the secret is correctly encoded in Base32. If QR code scanning fails, manually enter the secret key. If codes work intermittently, implement time tolerance (±30 seconds). If multiple devices show different codes, verify they use the same secret. If codes never work, verify the TOTP algorithm matches (SHA1 is standard). If backup codes fail, verify they are single-use and not expired. If time sync is impossible, use HOTP (counter-based) instead of TOTP.

Clock skew causing code mismatches
Incorrect Base32 encoding of secret
QR code scanning failures
Intermittent failures from time tolerance issues
Different codes on multiple devices
Algorithm mismatch (SHA1 vs SHA256)
Backup codes already used or expired
Time synchronization impossible on device

Frequently Asked Questions

Is OTP Generator free to use?

Yes. OTP Generator is free and works directly in your browser.

Does OTP Generator upload my data?

No. Most processing happens locally. Any network requests are clearly indicated.

What formats does OTP Generator support?

OTP Generator supports the common formats described on the page. Convert uncommon formats before pasting.

How should I share results from OTP Generator?

Copy the output and review any sensitive data before sharing or publishing.