ConvertiloConvertilo

2FA / TOTP Token Generator

Generate a 6-digit TOTP code from a base32 secret. Runs entirely in your browser — your secret is never uploaded, logged, or sent over the network.

🔐Multiple accounts? Use the 2FA Vault
Open vault →

About this TOTP generator

A TOTP (Time-based One-Time Password, RFC 6238) is the 6-digit rolling code your authenticator app shows: HMAC-SHA1 of a shared secret combined with a 30-second time window, truncated to six digits. It is the same algorithm behind Google Authenticator, Authy, Microsoft Authenticator and Duo — given the same base32 secret and a synced clock, every implementation produces the exact same code. People reach for an online TOTP generator in a few specific situations: their phone is lost, broken, or wiped before 2FA was migrated; the authenticator app stopped opening after an OS update; a colleague needs to log into a shared service account before the on-call hand-off; or a developer is automating end-to-end tests and needs a TOTP without scripting one from scratch.

Be honest about the trade-off: typing a TOTP shared secret into any website — including this one — means the page's JavaScript briefly touches that secret, and a malicious operator could in principle exfiltrate it. We mitigate that by doing everything in your browser: the secret is never uploaded, never logged, and never sent to an analytics endpoint. You can verify this yourself — open the browser DevTools Network tab before pasting and watch that no outbound request carries the secret. For ongoing use, a dedicated authenticator app or a password manager like Bitwarden or 1Password is still the right answer. This tool is built for the one-off case: an emergency code right now, when waiting on a phone replacement is not an option.

Why use this generator

Truly browser-only

Your base32 secret never leaves the device — open DevTools and watch the Network tab to verify nothing is uploaded.

No account, no log, no rate limit

No sign-up, no captcha, no per-IP throttling. Useful for emergency recovery when you can't fight a login wall.

RFC 6238 compliant

Same HMAC-SHA1 / 30-second window as Google Authenticator, Authy and Microsoft Authenticator — codes match byte-for-byte.

Frequently asked questions

How is this different from Google Authenticator?

The algorithm is identical — both compute an HMAC-SHA1 of your base32 secret and the current 30-second window, then truncate to six digits. The difference is role: Google Authenticator is designed to be a long-term store of many secrets on a single device. This tool is a stateless web utility — paste a secret, get a code, close the tab. Use Google Authenticator (or a password-manager TOTP feature like Bitwarden) for everyday 2FA; reach for this generator when you need a one-off code outside that flow.

Is it safe to enter my TOTP secret on a website?

Strictly speaking, no online TOTP generator is as safe as keeping the secret only inside an authenticator app on your phone. A malicious site could ship JavaScript that quietly POSTs your secret to a server. The honest mitigation is verifiability: this tool runs entirely client-side, so you can open the browser DevTools Network tab before pasting and confirm nothing leaves your device. If the secret protects a high-value account (banking, work email, crypto), prefer a real authenticator app and only use a web tool in a genuine emergency.

What is a TOTP secret / base32 key?

When you enable 2FA on a service, it generates a shared secret — a random string usually shown as a QR code and a 16-32 character base32 string (letters A-Z and digits 2-7). Your authenticator app scans the QR code to store that secret. The same string pasted into this tool produces the same codes. If you didn't save it when you first set up 2FA, you cannot recover it — the secret is stored only on your device. You would need to disable and re-enroll 2FA from a session where you are already logged in.

Why does the code change every 30 seconds?

TOTP combines your secret with the current Unix time divided into 30-second windows. Every 30 seconds the window number ticks up by one, so the HMAC input changes and the resulting 6-digit code rotates. The short window limits the value of a stolen code — an attacker who phishes a code has at most 30 seconds (often less) to replay it before the server rejects it. Some implementations use 60-second windows, but 30 seconds is the default in RFC 6238 and what Google Authenticator ships.

Can I use this if I lost my phone?

Only if you still have the base32 secret somewhere — for example written down, printed in a recovery PDF, stored in a password manager, or saved as a screenshot of the original QR code. The secret is what mints the codes; without it, no tool can recreate the 6-digit numbers your old phone showed. If the secret is gone, use the service's account recovery flow (backup codes, SMS fallback, identity verification) and re-enroll 2FA from your new device.

Does it work with Google Authenticator codes?

Yes — Google Authenticator implements standard TOTP exactly as specified in RFC 6238 (HMAC-SHA1, 30-second window, 6-digit output, base32 secret). If you paste the same base32 secret that you originally scanned into Google Authenticator, this tool produces the identical 6-digit code. The same is true for Authy, Microsoft Authenticator, Duo Mobile, 1Password TOTP, and Bitwarden TOTP. Steam Guard uses a custom alphabet, so codes will not match — for Steam you need a Steam-specific generator.

What if my code doesn't work?

Almost always it is clock skew. TOTP depends on both your device and the server agreeing on the current time within a 30-second window. If your computer's clock is off by more than that, the server rejects the code. Check that your system clock is synced (Settings → Date & Time → Set automatically), then try again. Other causes: a typo in the base32 secret (a missing character shifts everything), trailing whitespace, or using a Steam secret (different alphabet) in a standard TOTP generator.

Should I use this tool long-term?

No — for ongoing 2FA, use a dedicated authenticator app (Google Authenticator, Authy, Microsoft Authenticator, Aegis on Android, Raivo on iOS) or the TOTP feature built into your password manager (Bitwarden, 1Password, Proton Pass). Those are designed for secure storage of many secrets and survive across device changes via encrypted sync. This generator is built for a single emergency: paste the secret, copy the code, close the tab. If you find yourself opening it daily, set up a real authenticator app instead.