TOTP/HOTP Code Generator

Understanding TOTP and HOTP

One-Time Passwords (OTPs) are a cornerstone of modern two-factor authentication (2FA). They provide an additional security layer beyond static passwords by generating short-lived codes that can only be used once. Two standardized algorithms govern OTP generation: HOTP and TOTP.

HOTP: HMAC-Based One-Time Password (RFC 4226)

Published in December 2005, RFC 4226 defines HOTP as a function of a shared secret key and an incrementing counter value. Each time an authentication attempt succeeds, both the client and server increment their counter. The algorithm computes an HMAC-SHA1 hash of the counter value using the secret key, then applies dynamic truncation to extract a 6-digit or 8-digit numeric code from the 20-byte hash output. Specifically, the last nibble (4 bits) of the hash selects a 4-byte window, which is masked to produce a 31-bit unsigned integer, then reduced modulo 10^d where d is the digit count.

TOTP: Time-Based One-Time Password (RFC 6238)

Published in May 2011, RFC 6238 extends HOTP by replacing the counter with a time-derived value. The current Unix timestamp is divided by a configurable time step (typically 30 seconds) to produce a counter. This means codes automatically expire and refresh without requiring synchronization between client and server. TOTP is the algorithm used by Google Authenticator, Authy, Microsoft Authenticator, 1Password, and most modern 2FA implementations.

Base32 Encoding for Secrets

OTP secrets are typically encoded in Base32 (RFC 4648) rather than Base64 or hexadecimal. Base32 uses only uppercase letters A-Z and digits 2-7, making secrets easier to type manually and less prone to transcription errors. A standard TOTP secret is 160 bits (20 bytes), which encodes to 32 Base32 characters. SHA-256 and SHA-512 algorithms may use longer secrets for optimal security.

The otpauth:// URI Format

The otpauth:// URI scheme, introduced by Google, is the de facto standard for provisioning authenticator apps via QR codes. The format is: otpauth://totp/Issuer:account?secret=BASE32SECRET&issuer=Issuer&algorithm=SHA1&digits=6&period=30. This tool generates fully compliant URIs and renders them as scannable QR codes.

Algorithm Support

While SHA-1 remains the default for maximum compatibility, SHA-256 and SHA-512 provide stronger cryptographic guarantees. The Web Crypto API's crypto.subtle.sign() method handles all three algorithms natively, with no external cryptographic libraries required. This tool implements the complete HMAC computation, dynamic truncation, and code formatting pipeline entirely in the browser.

Why Use a Client-Side OTP Generator?

OTP secrets are the keys to your accounts. Generating or testing them on a server-side tool means transmitting your secret key over the network, where it could be intercepted, logged, or stored. This tool processes everything locally in your browser using the Web Crypto API — your secrets never leave your machine.

Common use cases include: testing 2FA integrations during development, verifying that your TOTP implementation produces correct codes, generating QR codes for provisioning authenticator apps, debugging time synchronization issues, and understanding how the RFC 4226/6238 algorithms work by experimenting with different parameters.

Unlike most online OTP tools that rely on server-side computation or third-party APIs, every cryptographic operation here — HMAC signing, dynamic truncation, Base32 encoding, and secret generation — executes entirely within your browser's security sandbox. The source code is fully auditable, and no network requests are made during OTP generation.