PublicSoftTools
Tools16 min read·PublicSoftTools Team·May 2026

TOTP 2FA Code Generator — How Time-Based One-Time Passwords Work

TOTP (Time-based One-Time Password) is the algorithm behind every authenticator app — Google Authenticator, Authy, Microsoft Authenticator. It generates 6-digit codes that rotate every 30 seconds using a shared secret and the current time. Understanding how it works helps you use it correctly, choose the right authenticator app, and know what to do when codes stop working. The free TOTP code generator on PublicSoftTools demonstrates the algorithm with any secret key.

How TOTP Works: The Algorithm

TOTP is defined in RFC 6238 and works in three steps:

  1. Time step: Divide the current Unix timestamp by 30 (the time step). This gives an integer that changes every 30 seconds — the same for both the server and your app as long as clocks are synchronised.
  2. HMAC calculation: Compute HMAC-SHA1(secret, time_step). The shared secret is the Base32-encoded string from the QR code you scanned. HMAC-SHA1 produces a 20-byte hash.
  3. Truncation: Use a dynamic truncation of the HMAC to extract a 4-byte value, convert to integer, take modulo 10⁶ (for a 6-digit code), and zero-pad to 6 digits. This is the code your authenticator displays.

The server does exactly the same calculation using the time and the stored secret. If the codes match, authentication succeeds. Because both sides use time as an input and codes expire every 30 seconds, a captured code is useless 30 seconds after capture — unlike a static password.

Two-Factor Authentication Methods Compared

MethodSecurityPhishing-resistant?How it works
TOTP (Authenticator app)HighPartially (code can be phished in real-time)30-second rotating codes generated by app using shared secret + current time
FIDO2 / WebAuthn (hardware key or passkey)Very highYes (cryptographically bound to origin)Public-key cryptography; device proves identity without sharing a code
SMS / text messageLow-moderateNoOTP sent via SMS to registered phone number
Email OTPLow-moderateNoOTP sent to registered email address
Push notification (Duo, Okta Verify)HighPartially (MFA fatigue attacks possible)App receives push; user approves or denies
Passkey (platform/synced)Very highYesDevice creates and stores a cryptographic key pair; private key never leaves device

Authenticator Apps Compared

AppPlatformCloud backupKey features
Google AuthenticatoriOS, AndroidGoogle account backup (optional)Simple, minimal UI; widely supported; QR code import
AuthyiOS, Android, Desktop (Mac, Windows, Linux)Encrypted cloud backup (Authy account)Multi-device sync; encrypted backup; desktop app; PIN lock
Microsoft AuthenticatoriOS, AndroidMicrosoft account backupPasswordless login for Microsoft accounts; push notifications for Microsoft services; cloud backup
1PasswordiOS, Android, Mac, Windows, Linux, browserYes (1Password subscription)TOTP integrated with password manager; autofill; shared vaults
Bitwarden (Premium)iOS, Android, Mac, Windows, Linux, browserYesTOTP in open-source password manager; $10/year premium required for TOTP
Aegis (Android)Android onlyManual encrypted backupOpen-source; encrypted local vault; manual export/import for backup; no cloud dependency
Raivo OTP (iOS)iOS/macOS onlyiCloud backupOpen-source; clean UI; Apple Watch support; iCloud sync

Setting Up TOTP: Step by Step

  1. Go to the site's security settings. Look for "Two-factor authentication," "2-Step Verification," or "Authenticator app."
  2. Choose "Authenticator app" (not SMS — more secure).
  3. Open your authenticator app and scan the QR code shown on screen. The QR code contains an otpauth:// URI with your account name and the shared secret.
  4. Enter the current 6-digit code to verify the setup worked.
  5. Save your backup codes. Most sites generate 6–10 one-time backup codes. Store these securely — in your password manager, printed and locked away, or both. These are your emergency access if you lose your phone.
  6. Test immediately by logging out and back in with the new 2FA requirement.

Why TOTP Codes Stop Working

The most common reason TOTP codes fail is clock drift — the time on your phone differs from the server's time, causing the code calculation to diverge. TOTP servers typically accept codes from the current 30-second window plus one window before and after (90-second total tolerance). If your phone's clock is off by more than 90 seconds, codes will fail.

Fix: ensure your phone's time is set to automatic (synced via network time protocol). In Google Authenticator specifically, there is a "Time correction for codes" option in settings that syncs the app's time offset independently of the system clock.

Other reasons codes can fail: account setup error (you scanned the wrong QR code or entered the wrong secret manually); the site required completing setup with a verification code but you didn't; or you're using a backup code that's already been used.

Backup Codes: The Safety Net

When you set up 2FA, save the backup codes — these are one-time-use codes that bypass the authenticator requirement. They are your recovery method if:

Best practice for backup codes:

TOTP Security Limitations

TOTP is significantly more secure than SMS-based 2FA or no 2FA, but it has limitations:

Common Questions

What is the difference between TOTP and HOTP?

HOTP (HMAC-based OTP, RFC 4226) uses a counter rather than time — each code use increments the counter. TOTP (RFC 6238) extends HOTP by using the time-step as the counter. HOTP codes do not expire (they are valid until used), which is both an advantage (no clock sync requirement) and a disadvantage (captured unused codes remain valid). TOTP's 30-second window makes captured codes useless almost immediately. TOTP is the standard used by all major authenticator apps; HOTP is used in some hardware tokens.

Can I use TOTP without a smartphone?

Yes. Options include: desktop authenticator apps (Authy desktop, Bitwarden, 1Password browser extension); hardware security keys that support TOTP (YubiKey with YubiKey Authenticator app); command-line TOTP tools (oathtool); browser extensions that support TOTP. For accounts where smartphone loss would lock you out, setting up TOTP on multiple devices (using the same QR code at setup time) provides redundancy — scan the QR code simultaneously on your phone and tablet, and both generate valid codes.

Should I use TOTP or passkeys?

Where passkeys are available, they are more secure than TOTP — they are phishing-resistant (cryptographically bound to the site's origin, so a phishing site cannot capture the key), simpler to use (biometric confirmation, no code to type), and require no backup code management. Major sites (Google, Apple, Microsoft, GitHub, Amazon, PayPal) now support passkeys. Use passkeys where offered; use TOTP as the next-best option where passkeys are not yet available.

Generate TOTP Codes

Test the TOTP algorithm with any secret key. See the current 6-digit code and time remaining in the 30-second window.

Open TOTP Code Generator