TOTP Generator (2FA)

TOTP (Time-Based One-Time Password) generates 6-8 digit codes that change every 30 seconds, providing a second factor of authentication beyond passwords. The algorithm combines a shared secret key (typically 160 bits, encoded as a base32 string like JBSWY3DPEHPK3PXP) with the current Unix timestamp divided by 30 (the time step). This value is passed through HMAC-SHA1, and a portion of the output is converted to a 6-digit number. Because both the server and your authenticator app share the same secret and use the same time reference, they independently compute the same code. Most implementations accept the current code plus one code before and after (a window of ±30 seconds) to account for clock drift between devices. The QR code you scan when setting up 2FA contains a URI like otpauth://totp/Service:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Service — this encodes the secret key, the service name, and the account identifier. This tool generates TOTP codes and secrets locally in your browser using the Web Crypto API, compatible with Google Authenticator, Authy, and 1Password.

Adding TOTP-based two-factor authentication to a web application involves several steps. During enrollment: generate a random secret (20-32 bytes), encode it as base32, create an otpauth:// URI, and display it as a QR code. Store the secret securely on your server (encrypted at rest). During verification: the user submits the 6-digit code from their authenticator app, your server generates the expected code using the stored secret, and you compare them. Allow a window of ±1 step (3 codes total) to handle network latency and clock drift. Critical security considerations: always provide backup codes (typically 8-10 single-use codes) in case the user loses their authenticator device. Rate-limit verification attempts (5 attempts per minute) to prevent brute-forcing (a 6-digit code has only 1 million possibilities). Store the user's last validated timestamp to prevent replay attacks — never accept a code that was already used. The RFC 6238 standard defines the algorithm, and libraries exist for every major platform: speakeasy for Node.js, pyotp for Python, rotp for Ruby, and GoogleAuthenticator for PHP.