TOTP 2FA Code Generator — How Time-Based One-Time Passwords Work
TOTP (Time-based One-Time Password) is the algorithm behind every authenticator app — Google Authenticator, Authy, Microsoft Authenticator. It generates 6-digit codes that rotate every 30 seconds using a shared secret and the current time. Understanding how it works helps you use it correctly, choose the right authenticator app, and know what to do when codes stop working. The free TOTP code generator on PublicSoftTools demonstrates the algorithm with any secret key.
How TOTP Works: The Algorithm
TOTP is defined in RFC 6238 and works in three steps:
- Time step: Divide the current Unix timestamp by 30 (the time step). This gives an integer that changes every 30 seconds — the same for both the server and your app as long as clocks are synchronised.
- HMAC calculation: Compute HMAC-SHA1(secret, time_step). The shared secret is the Base32-encoded string from the QR code you scanned. HMAC-SHA1 produces a 20-byte hash.
- Truncation: Use a dynamic truncation of the HMAC to extract a 4-byte value, convert to integer, take modulo 10⁶ (for a 6-digit code), and zero-pad to 6 digits. This is the code your authenticator displays.
The server does exactly the same calculation using the time and the stored secret. If the codes match, authentication succeeds. Because both sides use time as an input and codes expire every 30 seconds, a captured code is useless 30 seconds after capture — unlike a static password.
Two-Factor Authentication Methods Compared
| Method | Security | Phishing-resistant? | How it works |
|---|---|---|---|
| TOTP (Authenticator app) | High | Partially (code can be phished in real-time) | 30-second rotating codes generated by app using shared secret + current time |
| FIDO2 / WebAuthn (hardware key or passkey) | Very high | Yes (cryptographically bound to origin) | Public-key cryptography; device proves identity without sharing a code |
| SMS / text message | Low-moderate | No | OTP sent via SMS to registered phone number |
| Email OTP | Low-moderate | No | OTP sent to registered email address |
| Push notification (Duo, Okta Verify) | High | Partially (MFA fatigue attacks possible) | App receives push; user approves or denies |
| Passkey (platform/synced) | Very high | Yes | Device creates and stores a cryptographic key pair; private key never leaves device |
Authenticator Apps Compared
| App | Platform | Cloud backup | Key features |
|---|---|---|---|
| Google Authenticator | iOS, Android | Google account backup (optional) | Simple, minimal UI; widely supported; QR code import |
| Authy | iOS, Android, Desktop (Mac, Windows, Linux) | Encrypted cloud backup (Authy account) | Multi-device sync; encrypted backup; desktop app; PIN lock |
| Microsoft Authenticator | iOS, Android | Microsoft account backup | Passwordless login for Microsoft accounts; push notifications for Microsoft services; cloud backup |
| 1Password | iOS, Android, Mac, Windows, Linux, browser | Yes (1Password subscription) | TOTP integrated with password manager; autofill; shared vaults |
| Bitwarden (Premium) | iOS, Android, Mac, Windows, Linux, browser | Yes | TOTP in open-source password manager; $10/year premium required for TOTP |
| Aegis (Android) | Android only | Manual encrypted backup | Open-source; encrypted local vault; manual export/import for backup; no cloud dependency |
| Raivo OTP (iOS) | iOS/macOS only | iCloud backup | Open-source; clean UI; Apple Watch support; iCloud sync |
Setting Up TOTP: Step by Step
- Go to the site's security settings. Look for "Two-factor authentication," "2-Step Verification," or "Authenticator app."
- Choose "Authenticator app" (not SMS — more secure).
- Open your authenticator app and scan the QR code shown on screen. The QR code contains an otpauth:// URI with your account name and the shared secret.
- Enter the current 6-digit code to verify the setup worked.
- Save your backup codes. Most sites generate 6–10 one-time backup codes. Store these securely — in your password manager, printed and locked away, or both. These are your emergency access if you lose your phone.
- Test immediately by logging out and back in with the new 2FA requirement.
Why TOTP Codes Stop Working
The most common reason TOTP codes fail is clock drift — the time on your phone differs from the server's time, causing the code calculation to diverge. TOTP servers typically accept codes from the current 30-second window plus one window before and after (90-second total tolerance). If your phone's clock is off by more than 90 seconds, codes will fail.
Fix: ensure your phone's time is set to automatic (synced via network time protocol). In Google Authenticator specifically, there is a "Time correction for codes" option in settings that syncs the app's time offset independently of the system clock.
Other reasons codes can fail: account setup error (you scanned the wrong QR code or entered the wrong secret manually); the site required completing setup with a verification code but you didn't; or you're using a backup code that's already been used.
Backup Codes: The Safety Net
When you set up 2FA, save the backup codes — these are one-time-use codes that bypass the authenticator requirement. They are your recovery method if:
- You lose or break your phone
- You change phones and forget to transfer authenticator data
- Your authenticator app data is corrupted
Best practice for backup codes:
- Store in your password manager (in the same entry as the login credentials)
- Print and store physically in a secure location (home safe, secure drawer)
- Never store in plaintext email or cloud documents without encryption
- Regenerate backup codes if you believe the old ones may have been compromised
TOTP Security Limitations
TOTP is significantly more secure than SMS-based 2FA or no 2FA, but it has limitations:
- Real-time phishing: A sophisticated phishing attack can prompt you for your TOTP code in real time, relay it to the real site, and use it within the 30-second window. FIDO2/passkeys are phishing-resistant; TOTP is not fully resistant.
- Shared secret exposure: The QR code contains the shared secret. If an attacker captures the QR code during setup, they can generate valid codes forever. Only set up TOTP on trusted devices and connections.
- Device compromise: If your phone is compromised by malware, your authenticator app's secrets may be extractable. Treat your phone's PIN/biometric as the gate to your 2FA.
- Single device risk: If your authenticator app is only on one device, losing that device loses access to all accounts. Use cloud backup or store backup codes.
Common Questions
What is the difference between TOTP and HOTP?
HOTP (HMAC-based OTP, RFC 4226) uses a counter rather than time — each code use increments the counter. TOTP (RFC 6238) extends HOTP by using the time-step as the counter. HOTP codes do not expire (they are valid until used), which is both an advantage (no clock sync requirement) and a disadvantage (captured unused codes remain valid). TOTP's 30-second window makes captured codes useless almost immediately. TOTP is the standard used by all major authenticator apps; HOTP is used in some hardware tokens.
Can I use TOTP without a smartphone?
Yes. Options include: desktop authenticator apps (Authy desktop, Bitwarden, 1Password browser extension); hardware security keys that support TOTP (YubiKey with YubiKey Authenticator app); command-line TOTP tools (oathtool); browser extensions that support TOTP. For accounts where smartphone loss would lock you out, setting up TOTP on multiple devices (using the same QR code at setup time) provides redundancy — scan the QR code simultaneously on your phone and tablet, and both generate valid codes.
Should I use TOTP or passkeys?
Where passkeys are available, they are more secure than TOTP — they are phishing-resistant (cryptographically bound to the site's origin, so a phishing site cannot capture the key), simpler to use (biometric confirmation, no code to type), and require no backup code management. Major sites (Google, Apple, Microsoft, GitHub, Amazon, PayPal) now support passkeys. Use passkeys where offered; use TOTP as the next-best option where passkeys are not yet available.
Generate TOTP Codes
Test the TOTP algorithm with any secret key. See the current 6-digit code and time remaining in the 30-second window.
Open TOTP Code Generator