2FAApp Local-first security tools
Use tools

Understand how authenticator app codes work.

What Is TOTP?

Learn how time-based one-time passwords use a shared secret and clock window to generate changing 2FA codes.

TOTP is HOTP with time instead of a counter.
The shared secret and time step produce a short-lived code that changes every interval.
RFC 6238 supports SHA-1, SHA-256, and SHA-512, with 30 seconds as the usual default step.

How the code is produced

The authenticator and the server share a secret. Each side combines that secret with the current time step and runs an HMAC calculation to produce a short code. The user only sees the final digits, not the secret itself.

Why the code expires

The time step keeps the code short-lived, which limits reuse. If the server and the device disagree about the time or the step window, a valid code can still be rejected.

What to check in a setup

Issuer, account label, algorithm, digit count, and period all matter. Most services choose 6 digits and 30 seconds, but the platform controls the final parameters.

Action items

  • Use the TOTP generator only with a test secret or a clearly understood setup.
  • Verify the period and digits shown by the platform during manual setup.
  • Sync device time automatically before troubleshooting codes.

Cautions

  • TOTP is not phishing-resistant in the same way passkeys are.
  • The secret behind the code is the real credential; keep it private.

Related pages

TOTP Generator Generate and test time-based 2FA codes in your browser without sending secrets to the server. TOTP vs HOTP Compare time-based and counter-based one-time passwords and why most authenticator app setups use TOTP.

Related questions

Can an online 2FA generator replace my authenticator app? No for normal account protection. A browser generator can help with test secrets or debugging, but real account secrets should live in a trusted authenticator or hardware-backed setup.