What Is TOTP?
TOTP (Time-based One-Time Password) is the 2FA standard defined by RFC 6238. It generates a new 6-digit code every 30 seconds using a shared secret key and the current timestamp — the authentication server runs the same algorithm independently and verifies your code without any network transmission of the secret.
Every time you scan a QR code in Google Authenticator, Microsoft Authenticator, or Authy, you're setting up a TOTP account.
How TOTP Works Step by Step
- Shared secret: The service generates a random Base32-encoded key (shown as a QR code). Both your app and the server store a copy.
- Time counter: Divide the current Unix timestamp by 30 to get the current time window counter (T)
- HMAC-SHA1: Apply HMAC-SHA1 using the secret key and counter T, producing a 20-byte result
- Extract 6 digits: Use dynamic truncation to extract 4 bytes, convert to a 6-digit decimal number
- Verification: The server computes the same value and compares (allowing ±1 time window for clock drift)
TOTP vs. SMS Verification Codes
| Feature | TOTP (Authenticator App) | SMS |
| Security | High — secret never transmitted | Medium — vulnerable to SIM swapping |
| Availability | Works offline | Requires cellular signal |
| Speed | Instant | May be delayed |
| Cost | Free | Carrier charges apply |
| Phishing risk | Low — 30-second window | Medium — longer validity |
| Device loss risk | High if no backup | Low — SIM can be replaced |
How to Use the TOTP Generator
Use tool.tl's TOTP generator:
- Go to tool.tl/totp-generator
- Enter a Base32-encoded TOTP secret key (or use a generated sample key)
- The current 6-digit code displays instantly with a countdown to the next refresh
- Use it to verify that your 2FA implementation correctly follows the TOTP algorithm
All computation happens locally in your browser — the secret key is never sent to any server.
Recommended Authenticator Apps
- Google Authenticator: Most widely used, simple — but lacks cloud backup (risky if phone is lost)
- Authy: Multi-device sync and encrypted backup — easiest phone migration
- Microsoft Authenticator: Deep Microsoft account integration, supports backup
- 1Password: Built-in TOTP in the password manager — convenient if you already use it
- Bitwarden: Open-source password manager with TOTP on premium plan
TOTP Security Best Practices
- Back up your secret keys: When setting up 2FA, save the Base32 key or QR code securely — losing it can permanently lock you out
- Use Authy or cloud backup: Don't rely solely on Google Authenticator which has no backup
- Anti-phishing: TOTP codes expire in 30 seconds, but still never enter them on suspicious sites
- Keep device time accurate: TOTP depends on synchronized clocks — a drifting clock causes validation failures
Frequently Asked Questions
Why do TOTP codes change every 30 seconds?
30 seconds is the standard time step defined by RFC 6238 — it balances security (short enough that intercepted codes are nearly useless) and usability (enough time to read and type the code).
How do I migrate 2FA when switching phones?
Google Authenticator has an export feature that generates a migration QR code. Authy automatically restores on a new device after phone number verification. The safest approach is to save your initial secret keys in a secure backup before you need to migrate.
Yes — tool.tl's TOTP generator is completely free, runs entirely in your browser with no server contact, and requires no account.