OTP Code Generator
Create time-based one-time passcodes from a shared secret locally.
OTP Code Generator
What This Tool Does
- OTP Code Generator produces time-based or counter-based one-time passcodes (TOTP/HOTP) for testing two-factor authentication flows.
- Verify OTP workflows by comparing generated codes with authenticator app outputs using the same secret.
Usage
- Paste your Base32-encoded shared secret (often from QR codes in 2FA setup).
- Configure OTP type (TOTP time-based or HOTP counter-based) and output digits (usually 6).
- Set time period (30 seconds for TOTP is standard).
- Generate the current code and watch it cycle over time.
Examples
- Verify TOTP time drift handling and code expiration in QA authentication tests.
- Confirm onboarding QR secrets generate matching codes in your authenticator app.
- Test backup code workflows and grace periods during 2FA setup integration.
- Validate OTP validation logic handles code boundaries and period transitions correctly.
Limitations
- Results should be validated in your target runtime before production use.
- Extremely large input payloads may be constrained by browser memory and performance limits.
Common Mistakes
- Invalid Base32: Non-Base32 characters or poor padding cause decode failures. Use only A-Z, 2-7, and =.
- Time sync issues: Client and server clock skew >= time period causes code mismatch. Ensure device time is accurate.
- Wrong secret: Pasting incorrect or partially-copied secret produces wrong codes. Copy full secret including all characters.
- Wrong period: Using 30s code with 60s server configuration (or vice versa) causes perpetual mismatches.
- Digit mismatch: 6-digit code vs 8-digit prompt causes failures. Verify server configuration before implementing.
- Secret leakage: Shared secret visibility (screenshot, log files) compromises 2FA. Treat as highly sensitive.
Technical Reference Guide
- TOTP (Time-based OTP): Codes derive from HMAC-SHA1(secret, floor(time / period)). Codes change every 30 seconds (configurable).
- HOTP (HMAC-based OTP): Codes derive from counter value. Increments on each use. No time dependency.
- Base32 encoding: Standard for shared secrets in 2FA. Each character = 5 bits. Padding with = if needed.
- Time period: 30 seconds is standard for TOTP. Some systems use 60 seconds. Must match server configuration.
- Digit count: 6 digits standard (0-999999). 7-8 digits provide higher security. Lower digits increase collision risk.
- Drift/skew: Servers typically accept ±1 time period for clock drift (±30 seconds for 30s period).
- Shared secret: Mutual knowledge between client and server. Never transmitted after initial 2FA pairing.
Specifications & Standards
FAQ
Does OTP generation require network access?
No. OTP is computed purely from the secret and local time. No network or server contact needed.
Why do codes change over time?
TOTP derives from time; code changes every period (usually 30 seconds). This prevents code reuse attacks.
Can I use this generator instead of an authenticator app?
Yes, for testing. For production 2FA, use a dedicated authenticator app (Google Authenticator, Authy, etc.).
What if my code does not match the server?
Check: 1) Correct secret pasted, 2) Device time is synchronized, 3) Right time period and digit count configured.
How do I extract the secret from a 2FA QR code?
Use a QR decoder tool to extract the otpauth:// URL. The secret is the secret= parameter in that URL.
Can the generated code be used multiple times?
No. TOTP codes are valid for one period only (typically 30 seconds). Codes rotate continuously.
Related Tools
Explore related utilities inside the Security Lab workshop for complementary engineering workflows.
View all Security Lab tools