All articles
2FA

TOTP and Authenticator App Secrets Explained

Generate Secret Keys team June 4, 2026 6 min read

Those six-digit codes that refresh every 30 seconds in Google Authenticator, Authy, or 1Password are TOTPs — time-based one-time passwords. They add a strong second factor to logins and, despite feeling magical, rest on a simple, open standard you can fully understand.

What TOTP is

TOTP (RFC 6238) generates a short numeric code from two inputs: a shared secret and the current time. Because both the server and your authenticator app know the same secret and roughly the same time, they independently compute the same code — with no network connection and nothing to intercept. TOTP builds directly on HMAC: the code is derived from an HMAC of the time counter.

The shared secret

Everything hinges on the secret created when you enable 2FA. It's a random value, displayed in Base32 (the A–Z, 2–7 alphabet) because that's easy to type and unambiguous. When you scan the setup QR code, you're importing this secret into your app. Both sides store it; the codes are derived from it forever after.

The otpauth:// URI and QR code

Setup QR codes encode an otpauth:// URI that bundles the secret with metadata:

otpauth://totp/My App:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=My%20App&algorithm=SHA1&digits=6&period=30
  • secret — the Base32 shared secret.
  • issuer / label — the service and account names shown in the app.
  • algorithm — the HMAC hash (commonly SHA1 for compatibility).
  • digits — code length, usually 6.
  • period — seconds per code, usually 30.

How a code is derived

The current Unix time is divided by the period (e.g. 30s) to get a counter. The app computes an HMAC of that counter using the shared secret, then deterministically truncates the result down to a 6-digit number. Thirty seconds later the counter increments and a new code appears. Servers usually accept the adjacent time window too, so a few seconds of clock drift won't lock you out.

Keeping TOTP secrets safe

  • Generate the secret with a CSPRNG and show it only during setup.
  • Store it encrypted on the server, like any other credential.
  • Provide backup codes so users aren't locked out if they lose their device.
  • Rate-limit verification to stop brute-forcing the short code.

Generate a TOTP secret now

The More tab generates a Base32 TOTP secret and a ready-to-scan otpauth:// URI, with a QR code you can render — all locally in your browser, perfect for testing a 2FA integration.

Setting up 2FA? Generate a Base32 TOTP secret and otpauth URI to test your authenticator flow.

Open the TOTP generator