TOTP (RFC 6238)
Time-Based One-Time Password algorithm; an IETF standard that computes a one-time passcode from a shared secret key and the current Unix time.
TOTP / 2FA Generator
Generate secure Time-based One-Time Passwords directly in your browser.
100% Client-Side Web Crypto API Zero Server Network Telemetry Strict RFC 6238 Compliance Ephemeral State Memory Sandboxing
Last updated
TOTP / 2FA Generator is a free, browser-based tool from UseToolSuite's Generator Tools collection. All processing happens locally on your device — your data is never uploaded to any server. Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.
Advertisement
Encrypted 2FA Vault
Offline Protected
Vault is Locked
Enter master password to decrypt 2FA secrets.
Vault Unlocked
No Tokens Visible
Unlock your vault to view or add 2FA codes.
How to Use This Tool
- 1
Secret Seed Injection
Provide the foundational Base32 encoded secret seed string supplied by the authentication provider.
- 2
Cryptographic Hashing
The Web Crypto API computes the HMAC-SHA1 signature combining the secret seed and the current Unix epoch time-step.
- 3
Token Extraction
Extract the resulting 6-digit dynamic authentication token before the 30-second temporal window expires.
How helpful was this tool?
Click to rate
Help us improve!
Sorry it didn't meet your expectations. We're always looking to make these tools better. What was missing or broken?
Open GitHub Issue Advertisement
Key Concepts
Essential terms and definitions related to TOTP / 2FA Generator.
HMAC (Keyed-Hash Message Authentication Code)
A specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key, utilized as the core validation engine for TOTP tokens.
Base32 Encoding
A numeral system utilizing 32 characters (A-Z, 2-7) to represent binary data in a human-readable format, heavily utilized in 2FA shared secrets to eliminate visually ambiguous characters.
Frequently Asked Questions
Does the generator synchronize its temporal window with an external NTP server?
No. To maintain absolute zero network footprint, the generator strictly derives the temporal window from your local hardware clock. If your device clock drifts significantly from true UTC, generated tokens will be systematically rejected by the target server.
Is the secret seed transmitted or cached locally?
The secret is evaluated ephemerally in RAM using the Web Crypto API. It is never transmitted over the network and is deliberately excluded from LocalStorage or IndexedDB to prevent unauthorized extraction.
Why does the tool reject certain alphanumeric input strings?
Standard TOTP algorithms (RFC 6238) strictly require a Base32 encoded secret key (comprising A-Z and 2-7). Characters like 1, 8, 9, or zero are inherently invalid within the Base32 matrix and will trigger a padding or decoding fault.
Troubleshooting & Technical Tips
Common errors developers encounter and how to resolve them.
Tokens Constantly Rejected by Target Authentication Server
This is universally caused by local time drift. The TOTP algorithm requires the client and server clocks to match within a ~30-second tolerance. Sync your operating system clock with an authoritative NTP server.
Base32 Decoding Exception (Invalid Character)
The provided secret string contains invalid characters or improper padding boundaries. Ensure you have not accidentally copied trailing whitespace or confused an "O" (letter) with a "0" (number).
Related Guides
In-depth articles covering the concepts behind TOTP / 2FA Generator.
Advertisement