TOTP Generator — How Two-Factor Authentication (2FA) Codes Work

Dovecot 閲覧

What Is TOTP?

TOTP (Time-based One-Time Password) is the 2FA standard defined by RFC 6238. It generates a new 6-digit code every 30 seconds using a shared secret key and the current timestamp — the authentication server runs the same algorithm independently and verifies your code without any network transmission of the secret.

Every time you scan a QR code in Google Authenticator, Microsoft Authenticator, or Authy, you're setting up a TOTP account.

How TOTP Works Step by Step

  1. Shared secret: The service generates a random Base32-encoded key (shown as a QR code). Both your app and the server store a copy.
  2. Time counter: Divide the current Unix timestamp by 30 to get the current time window counter (T)
  3. HMAC-SHA1: Apply HMAC-SHA1 using the secret key and counter T, producing a 20-byte result
  4. Extract 6 digits: Use dynamic truncation to extract 4 bytes, convert to a 6-digit decimal number
  5. Verification: The server computes the same value and compares (allowing ±1 time window for clock drift)

TOTP vs. SMS Verification Codes

FeatureTOTP (Authenticator App)SMS
SecurityHigh — secret never transmittedMedium — vulnerable to SIM swapping
AvailabilityWorks offlineRequires cellular signal
SpeedInstantMay be delayed
CostFreeCarrier charges apply
Phishing riskLow — 30-second windowMedium — longer validity
Device loss riskHigh if no backupLow — SIM can be replaced

How to Use the TOTP Generator

Use tool.tl's TOTP generator:

  1. Go to tool.tl/totp-generator
  2. Enter a Base32-encoded TOTP secret key (or use a generated sample key)
  3. The current 6-digit code displays instantly with a countdown to the next refresh
  4. Use it to verify that your 2FA implementation correctly follows the TOTP algorithm

All computation happens locally in your browser — the secret key is never sent to any server.

  • Google Authenticator: Most widely used, simple — but lacks cloud backup (risky if phone is lost)
  • Authy: Multi-device sync and encrypted backup — easiest phone migration
  • Microsoft Authenticator: Deep Microsoft account integration, supports backup
  • 1Password: Built-in TOTP in the password manager — convenient if you already use it
  • Bitwarden: Open-source password manager with TOTP on premium plan

TOTP Security Best Practices

  • Back up your secret keys: When setting up 2FA, save the Base32 key or QR code securely — losing it can permanently lock you out
  • Use Authy or cloud backup: Don't rely solely on Google Authenticator which has no backup
  • Anti-phishing: TOTP codes expire in 30 seconds, but still never enter them on suspicious sites
  • Keep device time accurate: TOTP depends on synchronized clocks — a drifting clock causes validation failures

Frequently Asked Questions

Why do TOTP codes change every 30 seconds?

30 seconds is the standard time step defined by RFC 6238 — it balances security (short enough that intercepted codes are nearly useless) and usability (enough time to read and type the code).

How do I migrate 2FA when switching phones?

Google Authenticator has an export feature that generates a migration QR code. Authy automatically restores on a new device after phone number verification. The safest approach is to save your initial secret keys in a secure backup before you need to migrate.

Is the tool free?

Yes — tool.tl's TOTP generator is completely free, runs entirely in your browser with no server contact, and requires no account.