Tidak suka iklan? Pergi Bebas Iklan Hari ini 

Generator Rahasia TOTP / HOTP

PengembangKeamanan

IKLAN · MENGHAPUS?

MEMASUKKAN

KELUARAN

Sisi klien

IKLAN · MENGHAPUS?

Memandu

Generator Rahasia TOTP / HOTP

Generate cryptographically secure TOTP and HOTP secrets for two-factor authentication apps like Google Authenticator and Authy. The generator creates Base32-encoded secrets, produces a scannable QR code via the otpauth:// URI standard, and shows a live TOTP preview so you can verify the secret works before deploying it.

Cara Penggunaan

Select OTP type (TOTP for time-based, HOTP for counter-based), enter an issuer name and account identifier, choose your digit count (6 or 8), algorithm (SHA-1, SHA-256, or SHA-512), and time period. Click Menghasilkan to create a new secret. Scan the QR code with your authenticator app to add the account, then verify the live code matches.

Fitur

TOTP and HOTP – supports both time-based (RFC 6238) and counter-based (RFC 4226) one-time passwords
Secure generation – uses crypto.getRandomValues() for cryptographically strong secrets
Base32 encoding – output compatible with all major authenticator apps
Inline QR code – generated client-side from the otpauth:// URI, no external services
Live TOTP preview – shows current 6/8-digit code updating in real time to verify the secret
Algorithm choice – SHA-1 (default), SHA-256, or SHA-512
Fully client-side – secrets never leave your browser

IKLAN · MENGHAPUS?

 Tanya Jawab Umum

What is the difference between TOTP and HOTP?

TOTP (Time-based One-Time Password, RFC 6238) generates codes based on the current time, refreshing every 30 seconds by default. HOTP (HMAC-based One-Time Password, RFC 4226) generates codes based on a counter that increments with each use. TOTP is more common in modern 2FA systems because it does not require server-client counter synchronisation, but HOTP is useful in offline or asynchronous scenarios.
Why is SHA-1 still the default algorithm for TOTP?

SHA-1 remains the default because RFC 6238 specifies it as the baseline and virtually all authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) support it. While SHA-1 has known weaknesses in digital signatures, HMAC-SHA-1 as used in TOTP is not vulnerable to those attacks. SHA-256 and SHA-512 offer stronger security but have limited app support.
How does the otpauth:// URI scheme work?

The otpauth:// URI encodes all parameters needed to configure an authenticator app: the secret, issuer name, account label, algorithm, digit count, and time period. QR codes embed this URI so users can scan and import the account without manual entry. The format is: otpauth://totp/Issuer:Account?secret=BASE32SECRET&issuer=Issuer&algorithm=SHA1&digits=6&period=30
Is it safe to generate TOTP secrets in a browser tool?

Yes, when the tool is fully client-side. This generator uses the Web Crypto API to generate secrets locally and never transmits them to any server. You can verify this by checking the network tab in browser developer tools — no outbound requests are made during secret generation. Store generated secrets securely and never share them.