2FAApp Local-first security tools
Use tools

Private browser tools

2FA Readiness Checklist

Score whether an account or team is ready to enable 2FA without creating recovery gaps.

Security model
Local processing. Checklist answers stay in the browser unless you submit a separate form. They are not sent to APIs, written to URLs, analytics, localStorage, or sessionStorage.

Generate a local TOTP code

TOTP Generator

Use for testing or recovery troubleshooting on a trusted device. Real account secrets should never be entered on public computers.

Enter a Base32 secret to generate codes in browser memory.

Inspect an otpauth URI

otpauth URI Parser

Parse issuer, account, algorithm, digits, period, and a masked secret without sending the URI anywhere.

Parsed fields appear here. Full secrets are masked by default.

Create a local QR code

QR Code Generator

Generate QR codes locally. If the content is an otpauth URI, the QR code contains the secret and must be protected like a password.

Your QR preview appears here.

Read a QR image locally

QR Code Decoder

Drop, paste, or select a QR image. Image pixels are decoded in the browser and are not uploaded.

Drop a QR image here or paste a screenshot, then select a file if needed.

Decoded text appears masked when it contains an otpauth secret.

Check code timing

Time Drift Checker

Compare the code you see with nearby TOTP windows. This can only help if the secret, account, algorithm, digits, and period are correct.

Drift results appear here.

Random local code strings

Backup Code Generator

Generate random code-style strings for systems that let you define your own recovery codes. These are not valid Google, GitHub, Microsoft, Discord, or bank recovery codes.

Generated codes appear here. They are not stored after you leave the page.

Before enabling 2FA

2FA Readiness Checklist

Check whether an account or rollout is ready before you turn on 2FA. The report is computed locally and contains no secrets.

Account readiness

Your readiness score appears here.

Plan a safer move

Migration Helper

This helper does not read your account list, phone, export files, QR codes, or secrets. It only builds a local step-by-step plan from your choices.

Your migration plan appears here. It will not include account names or secrets.

Sensitive values are held only in in-memory JavaScript variables for the current page session. Do not use these tools on a shared or untrusted device.

Related questions

What are backup codes? Backup codes are one-time codes generated by the platform you are protecting. Store them somewhere safe and separate from the device that holds your authenticator.