TOTP Secret Generator
Generate Base32 TOTP secrets for 2FA apps (Google Authenticator, Authy, 1Password). Includes otpauth:// QR code for instant setup.
Last updated: April 2026 ยท Runs in your browser ยท No sign-up
Implementing TOTP server-side
Store the Base32 secret per user. On login, after the password is verified, ask for the 6-digit code. Compute the expected code from (now / 30 seconds) using HMAC-SHA1 of the counter, truncated to 6 digits. Accept a ยฑ1 step window to tolerate clock skew.
Security notes
- Encrypt TOTP secrets at rest โ they're equivalent to a second password.
- Offer backup codes in case the user loses their phone.
- TOTP doesn't protect against real-time phishing. Use WebAuthn for the strongest MFA.
Frequently Asked Questions
What's TOTP?
Time-based One-Time Password (RFC 6238). Every 30 seconds, your app and the server compute the same 6-digit code from a shared secret. Standard for app-based 2FA.
Why Base32 for the secret?
Base32 avoids ambiguous characters (no 0/O, 1/I/L) so users can transcribe secrets by hand. Most authenticator apps paste or scan, but manual entry is still a fallback.
How long should the secret be?
RFC 6238 recommends 160 bits (20 bytes = 32 Base32 chars) for SHA-1. Longer is fine. Shorter than 128 bits is weak and scan-worthy to brute force.
What's in the otpauth:// URI?
A URL-encoded string: otpauth://totp/Issuer:account?secret=BASE32&issuer=Issuer. Most authenticator apps recognise it from a QR scan and add the account in one tap.