Security Tools

OTP Generator: Generate TOTP and HOTP One-Time Passwords Online

Generate RFC 6238 TOTP and RFC 4226 HOTP one-time passwords for testing and development of two-factor authentication systems.

Published January 15, 2025Updated June 1, 20255 min read

Try the free online tool

Runs entirely in your browser — no signup, no uploads.

Open Tool

One-Time Passwords (OTPs) are a cornerstone of modern two-factor authentication (2FA). Unlike static passwords, OTPs are valid for only a single use or a short time window, dramatically limiting the damage from phishing or credential theft. TOTP (Time-based One-Time Password, RFC 6238) and HOTP (HMAC-based One-Time Password, RFC 4226) are the two dominant OTP algorithms, used by Google Authenticator, Authy, Microsoft Authenticator, and hardware tokens like YubiKey.

TOTP generates a new 6- or 8-digit code every 30 seconds based on the current time and a shared secret key. HOTP generates codes based on a counter that increments with each use. Both use HMAC-SHA1 (or optionally HMAC-SHA256/SHA512 for TOTP) internally. The codes are short enough to type manually but expire quickly enough to be useless if intercepted shortly after use.

This tool lets you generate TOTP and HOTP codes from a Base32-encoded secret key, useful for testing 2FA integrations, verifying that your authentication server generates correct codes, debugging OTP implementations, or generating codes manually when your authenticator app is unavailable. All computation happens in your browser — no secrets are transmitted.

What Are TOTP and HOTP?

HOTP (HMAC-based One-Time Password, RFC 4226) generates codes by computing HMAC-SHA1 of a shared secret and a counter value, then truncating the result to a 6- or 8-digit decimal number. The server and client both maintain a synchronized counter. After each successful authentication, both increment the counter. Because the counter is the moving factor, HOTP codes do not expire until used.

TOTP (Time-based One-Time Password, RFC 6238) extends HOTP by replacing the counter with the current Unix timestamp divided by a time step (typically 30 seconds). Both the client and server independently compute the same code because they use the same time. Codes automatically expire after 30 seconds. TOTP is the algorithm behind virtually all modern authenticator apps.

Both algorithms require a shared secret key, typically encoded in Base32 and presented as a QR code when setting up 2FA. The secret must be securely stored on both the server and the authenticator device. If the secret is compromised, an attacker can generate valid OTPs indefinitely, so protecting the secret is as important as protecting the OTP codes themselves.

How to Use This Tool

Generate OTP codes for testing by providing a shared secret.

  1. 1

    Enter the secret key

    Paste the Base32-encoded shared secret into the Secret field. This is the same secret used to set up the authenticator app — found when you scan a QR code during 2FA enrollment. For testing, you can also enter any Base32 string.

  2. 2

    Select the OTP type

    Choose TOTP (time-based, refreshes every 30 seconds) or HOTP (counter-based, increments with each generation). For 2FA testing, TOTP is the most common type.

  3. 3

    Configure algorithm settings

    Set the number of digits (6 is standard, 8 is used by some enterprise systems), the time step in seconds for TOTP (default 30), or the counter value for HOTP. The hash algorithm is SHA-1 by default (per RFC standard), with SHA-256 and SHA-512 available for non-standard implementations.

  4. 4

    Generate the OTP

    Click Generate to compute the current OTP. For TOTP, the tool also shows a countdown to the next code change. For HOTP, click Generate each time you need a new code — it increments the counter.

  5. 5

    Compare with your authenticator

    Compare the generated code against what your authenticator app shows for the same secret. If they match, your secret is correctly configured. If they differ, verify the secret encoding, time synchronization, and algorithm settings.

Common Use Cases

OTP generation tools are essential for authentication development and testing.

  • Testing TOTP/HOTP integration in authentication systems by verifying that generated codes match those produced by reference implementations and authenticator apps.
  • Debugging 2FA setup flows where the QR code or secret key must be verified before showing it to users.
  • Emergency access to accounts when an authenticator app device is lost — if you have the backup secret key, this tool can generate valid codes.
  • Validating server-side OTP verification code by generating a known code and confirming the server accepts or rejects it correctly.
  • Learning about OTP algorithms and understanding how time-based codes work as part of security education.

Tips and Best Practices

Implement OTP correctly for robust two-factor authentication.

  • Store OTP secrets encrypted at rest on your server. Use envelope encryption: encrypt the secret with a data encryption key (DEK) that is itself encrypted with a key encryption key (KEK) stored in a hardware security module or secrets manager.
  • Allow a time window of ±1 step (30 seconds before and after) on your server when validating TOTP codes to account for client-server clock drift, but no more.
  • Track used HOTP/TOTP codes server-side and reject reuse of codes within their validity window to prevent replay attacks.
  • Provide backup codes (static single-use codes) when users enroll in 2FA, so they can recover access if they lose their authenticator device.
  • Encourage users to back up their OTP secrets (e.g., by scanning the QR code to a second device or saving the Base32 secret securely) to prevent lockout.

Security Considerations

TOTP codes are only as secure as the shared secret. If the secret is transmitted insecurely during enrollment (e.g., over HTTP), captured by a compromised device, or stored unencrypted in a database, an attacker can generate unlimited valid codes. The enrollment QR code must be scanned on a trusted device and never shared further.

OTP provides second-factor authentication — it is meaningful only when combined with a first factor (password). OTP alone is not authentication. Additionally, TOTP does not protect against real-time phishing attacks where an attacker captures the code and uses it within the 30-second window. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant and provide stronger protection where available.

Frequently Asked Questions

What is the difference between TOTP and HOTP?

TOTP (Time-based OTP) generates codes based on the current time, so codes refresh automatically every 30 seconds without any action required. HOTP (HMAC-based OTP) generates codes based on an incrementing counter, so the code remains valid until used. TOTP is more widely used because its automatic expiry limits the window for code reuse.

Why does TOTP use Base32 for the secret key?

Base32 uses only uppercase letters and digits 2–7, which avoids characters that are easy to confuse (like 0/O or 1/I/l). This makes the secret easier to type manually if needed. Base32 is also URL-safe. The RFC 6238 standard specifies Base32 for OTP secret encoding for these reasons.

What happens if the TOTP codes from my app and this tool differ?

Verify that you are using the same Base32-encoded secret. Also confirm that the device clocks are synchronized (TOTP is sensitive to clock skew — more than 30 seconds off will produce different codes). Check that the algorithm (SHA-1 vs SHA-256), digit count (6 vs 8), and time step (30 vs 60 seconds) match between the tool and your authenticator.

Is it safe to enter my 2FA secret into this tool?

This tool processes the secret entirely in your browser with no server-side computation or network requests. However, entering real production 2FA secrets into any web tool carries risk if your browser environment is compromised (extensions, malware). Use this tool for testing with test secrets, not for generating codes from production account secrets.

How long is a TOTP code valid?

By default, TOTP codes are valid for 30 seconds (one time step). Most server implementations accept codes from the previous step and the next step as well (±30 seconds) to tolerate clock drift, giving a practical validity window of up to 90 seconds. After that, the code is rejected.

Can OTP protect against phishing attacks?

TOTP/HOTP provides significant protection against offline attacks (stolen password databases) but is vulnerable to real-time phishing: an attacker who tricks you into entering your OTP code on a fake site can immediately relay it to the real site. FIDO2/WebAuthn hardware keys are phishing-resistant and recommended where strong anti-phishing protection is needed.

What should I do if I lose my 2FA device?

Use the backup codes provided when you enrolled in 2FA to log in. Then immediately re-enroll 2FA with a new authenticator. If you saved the Base32 secret (or a copy of the QR code), you can re-add it to a new authenticator app. If none of these options are available, contact the service's support team for account recovery.

OTP generatorTOTPHOTPtwo-factor authentication2FA

Ready to use this tool?

Free, instant, no account required. Runs entirely in your browser.

Open Tool

More Security Tools Guides

Password Generator: Create Cryptographically Secure Passwords Online

5 min read

Password Strength Checker: How to Evaluate and Improve Your Password

5 min read

Hash Generator: Create MD5, SHA-256, and SHA-512 Hashes Online

5 min read

Hash Compare: Verify File and Data Integrity by Comparing Hashes

4 min read