2FA Code Generator: How to Create TOTP Verification Codes
Two-factor authentication protects accounts by requiring a short verification code in addition to a password. Our free 2FA Code Generator creates standard TOTP codes from a Base32 secret or otpauth:// setup URI directly in your browser.
This tool is useful when you need to test an MFA login flow, recover a code from a saved setup secret, or validate that a 2FA secret is formatted correctly. For daily account access, keep using a trusted authenticator app or password manager.
What is a TOTP Code?
TOTP means time-based one-time password. When you turn on 2FA, the service gives you a secret. Your authenticator and the service both combine that secret with the current time to calculate the same temporary code.
Most authenticator apps use:
- A Base32 shared secret
- HMAC-SHA1
- A 6-digit code
- A 30-second refresh window
Because the code is derived from the secret and the clock, the generator does not need to contact the service that owns the account.
How to Use the 2FA Code Generator
- Open the 2FA setup source for the account or test system you are working with.
- Copy the Base32 secret or full
otpauth://URI. - Paste it into the 2FA Secret field.
- Click Submit to generate the current 6-digit code.
- Copy the 2FA Code and use it before the 30-second timer expires.
If the timer is almost finished, wait for the next code before submitting it. Some services reject a code that expires during form submission.
Accepted Input Formats
You can paste a plain Base32 secret:
JBSW Y3DP EHPK 3PXPSpaces, hyphens, and padding characters are ignored, so grouped secrets from setup screens still work.
You can also paste a full authenticator setup URI:
otpauth://totp/Example:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=ExampleThe tool extracts the secret value from the URI and uses it to generate the TOTP code.
Security Notes
A 2FA secret is sensitive. Anyone who has the secret can generate valid verification codes for that account if they also have the password.
- Do not share 2FA secrets in chats, tickets, screenshots, or public logs
- Use this tool only on a device and browser you trust
- Avoid pasting production account secrets on shared computers
- Clear the form when you are done
- Rotate the 2FA secret if you believe it was exposed
The generator runs locally in your browser. The secret is not uploaded by the tool, but browser extensions, clipboard history, screen recording software, and shared devices can still create risk.
Troubleshooting
The tool says my secret is invalid.
Base32 secrets use letters A-Z and numbers 2-7. Characters like 0, 1, 8, and 9 are not valid Base32 characters.
The generated code is rejected.
Check that the secret belongs to the same account, wait for a fresh 30-second window, and make sure your device clock is accurate. Time drift is a common reason TOTP codes fail.
The code changed before I submitted it.
Use the newest code shown by the timer. If only a few seconds remain, wait for the next code.
The browser cannot generate a code.
The tool uses the Web Crypto API. Try a modern browser with JavaScript enabled.
Frequently Asked Questions
Is the secret uploaded to OhMyApps?
No. The TOTP calculation runs in your browser using the Web Crypto API.
Can this replace my authenticator app?
No. Treat it as a utility for testing, recovery, or one-off validation. Use a dedicated authenticator app or password manager for everyday 2FA storage.
Can I scan a QR code with this tool?
Not directly. If your setup screen shows a manual key or an otpauth:// URI, paste that text into the tool.
Why does the code refresh every 30 seconds?
TOTP codes are time-based. A short refresh window limits how long a stolen or accidentally exposed code remains useful.
Try our free 2FA Code Generator to create TOTP verification codes locally in your browser.
