TOTP (Time-based One-Time Password) is an algorithm defined in RFC 6238 that generates a short-lived numeric code from a shared secret key and the current time. It is the standard behind apps like Google Authenticator and Authy.

Is it safe to enter my secret key here?

Yes. This tool runs entirely in your browser. Your secret keys are encrypted with AES-GCM and stored in IndexedDB — they are never transmitted to any server.

OTP Generator - TOTP 2FA Code Generator Free

Set Up Encrypted Vault

Your OTP secrets will be encrypted and stored securely in your browser.

What Is OTP Generator?

OTP Generator creates Time-based One-Time Passwords (TOTP) as defined in RFC 6238. It runs entirely in your browser — your secret keys are encrypted with AES-256-GCM and stored in IndexedDB, never leaving your device. Use it to generate 2FA codes for any service that supports TOTP authentication.

Supported Standards

TOTP (RFC 6238) — time-based one-time passwords with configurable period
HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512 algorithms
6 or 8 digit code output
Base32 secret key encoding
otpauth:// URI parsing for easy import

Key Features

AES-256-GCM encrypted vault with WebAuthn PRF or master password protection
Real-time countdown timer showing remaining seconds for each code
Automatic code refresh when the time period expires
One-click copy to clipboard
Camera QR code scanning and image upload
Export/import encrypted backup files
Auto-lock after inactivity or tab switch

How to Use

Set up your encrypted vault with biometric authentication or a master password. Click Add to open the secret key form. Paste an otpauth:// URI, scan a QR code with your camera, or enter a Base32 secret key manually. Each card shows the current code, a countdown timer, and a progress bar. Click the copy icon to copy a code to your clipboard.

Security Architecture

OTP secrets are encrypted with AES-256-GCM using a random Data Encryption Key (DEK)
The DEK is wrapped with AES-KW using a Key Encryption Key (KEK) derived from your password (PBKDF2) or biometric (WebAuthn PRF + HKDF)
Encrypted data stored in IndexedDB — plain-text secrets never touch disk
Auto-lock on 5 minutes of tab hidden or 10 minutes of idle
No data is sent to any server — all computation happens locally

Frequently Asked Questions

Are my secret keys safe?: Your keys are encrypted with AES-256-GCM and stored in IndexedDB. The encryption key is protected by your master password or biometric authentication. Even if someone accesses your browser storage, they cannot read your secrets without the correct credentials.
What is a Base32 secret key?: A Base32 secret key is the shared secret provided by services when you set up 2FA. It uses characters A-Z and 2-7. You can usually find it as a text code alongside the QR code during 2FA setup.
What is an otpauth:// URI?: An otpauth:// URI is a standardized format that encodes all TOTP parameters (secret, issuer, algorithm, digits, period) in a single string. QR codes for 2FA typically contain these URIs.
Why do my codes not match my authenticator app?: Ensure the secret key, algorithm (SHA-1 is most common), digit count (usually 6), and period (usually 30 seconds) match exactly. Also verify your device clock is accurate — TOTP depends on synchronized time.
What happens if I forget my master password?: If you forget your master password, you will need to reset the vault, which permanently deletes all stored entries. To prevent data loss, regularly export backups of your OTP entries.