Question 1

What is the difference between TOTP and HOTP?

Accepted Answer

TOTP (Time-based OTP) generates a new 6-digit code every 30 seconds using the current timestamp as an input — this is what authenticator apps like Google Authenticator use. HOTP (HMAC-based OTP) generates codes based on a counter value that increments with each use, making each code valid until it is used rather than expiring by time.

Question 2

Is it safe to generate OTPs in the browser?

Accepted Answer

This tool uses the Web Crypto API with HMAC-SHA1 entirely in your browser — your secret key never leaves your device. However, storing the secret key in a browser tool is less secure than a dedicated authenticator app (like Authy or Google Authenticator) which stores secrets in protected app storage, sometimes with biometric lock.

Question 3

What format should the secret key be in?

Accepted Answer

The secret key must be in Base32 encoding — using the characters A-Z and 2-7, with optional padding characters `=`. Most 2FA setup QR codes encode the secret in Base32 inside an otpauth:// URI. Typical secret lengths are 16 or 32 characters (80 or 160 bits).

Question 4

Why does TOTP have a 30-second window?

Accepted Answer

RFC 6238 defines the default time step as 30 seconds as a balance between usability (enough time to read and type the code) and security (short enough that a stolen code cannot be used for long). Most servers also accept codes from the adjacent time windows (±30 s) to allow for slight clock drift.

Question 5

What is an otpauth:// URI used for?

Accepted Answer

An otpauth:// URI encodes all the parameters needed to add an account to an authenticator app — the type (totp/hotp), the issuer, account name, secret, algorithm, digit count, and period. When this URI is encoded as a QR code, authenticator apps can scan it to automatically configure themselves.

OTP Generator

About this tool

Frequently Asked Questions

Comments & Feedback