About TOTP / 2FA Generator

Generate time-based one-time passwords from a secret key. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Test 2FA flows during authentication development
• Generate backup codes when rotating MFA secrets
• Debug TOTP drift between client and server clocks
• Seed automated end-to-end tests that require MFA

Tips

• The code auto-refreshes when the 30-second period expires
• The circular timer shows remaining validity time
• Use this to verify your TOTP secret is configured correctly

Fun Facts

• TOTP codes change every 30 seconds by default. The algorithm (RFC 6238) uses HMAC-SHA1 with the current time divided by the period as the counter.
• Google Authenticator originally stored TOTP secrets unencrypted on the device — it wasn't until 2023 that Google added cloud backup with encryption.
• TOTP is being gradually replaced by passkeys (FIDO2/WebAuthn), which are phishing-resistant because the credential is bound to the specific website domain.

FAQ

Does the tool replace Google Authenticator?

For testing yes. For production MFA use a dedicated app (Authy, 1Password, Aegis) — centralized apps lose all your codes if you clear browser data.

What's the secret format?

Base32 by default (the format most providers give you). 80-160 bits of entropy recommended. Padding is optional.

Clock sync matters?

Yes — TOTP depends on server and client clocks being within 30 seconds. NTP-synchronized devices are fine; mobile devices usually are. The tool shows local time for debugging.

What algorithm and digits?

SHA-1 / 6 digits / 30-second window is the default (matches Google Authenticator). Toggle SHA-256 / 8 digits for higher security if your provider supports it.