Генератор секретного ключа TOTP / HOTP
Гид
Генератор секретного ключа TOTP / HOTP
Generate cryptographically secure TOTP and HOTP secrets for two-factor authentication apps like Google Authenticator and Authy. The generator creates Base32-encoded secrets, produces a scannable QR code via the otpauth:// URI standard, and shows a live TOTP preview so you can verify the secret works before deploying it.
Как использовать
Select OTP type (TOTP for time-based, HOTP for counter-based), enter an issuer name and account identifier, choose your digit count (6 or 8), algorithm (SHA-1, SHA-256, or SHA-512), and time period. Click Генерировать to create a new secret. Scan the QR code with your authenticator app to add the account, then verify the live code matches.
Функции
- TOTP and HOTP – supports both time-based (RFC 6238) and counter-based (RFC 4226) one-time passwords
- Secure generation – uses
crypto.getRandomValues()for cryptographically strong secrets - Base32 encoding – output compatible with all major authenticator apps
- Inline QR code – generated client-side from the otpauth:// URI, no external services
- Live TOTP preview – shows current 6/8-digit code updating in real time to verify the secret
- Algorithm choice – SHA-1 (default), SHA-256, or SHA-512
- Fully client-side – secrets never leave your browser
Часто задаваемые вопросы
-
What is the difference between TOTP and HOTP?
TOTP (Time-based One-Time Password, RFC 6238) generates codes based on the current time, refreshing every 30 seconds by default. HOTP (HMAC-based One-Time Password, RFC 4226) generates codes based on a counter that increments with each use. TOTP is more common in modern 2FA systems because it does not require server-client counter synchronisation, but HOTP is useful in offline or asynchronous scenarios.
-
Why is SHA-1 still the default algorithm for TOTP?
SHA-1 remains the default because RFC 6238 specifies it as the baseline and virtually all authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) support it. While SHA-1 has known weaknesses in digital signatures, HMAC-SHA-1 as used in TOTP is not vulnerable to those attacks. SHA-256 and SHA-512 offer stronger security but have limited app support.
-
How does the otpauth:// URI scheme work?
The otpauth:// URI encodes all parameters needed to configure an authenticator app: the secret, issuer name, account label, algorithm, digit count, and time period. QR codes embed this URI so users can scan and import the account without manual entry. The format is: otpauth://totp/Issuer:Account?secret=BASE32SECRET&issuer=Issuer&algorithm=SHA1&digits=6&period=30
-
Is it safe to generate TOTP secrets in a browser tool?
Yes, when the tool is fully client-side. This generator uses the Web Crypto API to generate secrets locally and never transmits them to any server. You can verify this by checking the network tab in browser developer tools — no outbound requests are made during secret generation. Store generated secrets securely and never share them.
Установите наши расширения
Добавьте инструменты ввода-вывода в свой любимый браузер для мгновенного доступа и более быстрого поиска
恵 Табло результатов прибыло!
Табло результатов — это интересный способ следить за вашими играми, все данные хранятся в вашем браузере. Скоро появятся новые функции!
Подписаться на новости
все Новые поступления
всеОбновлять: Наш последний инструмент was added on Мар 23, 2026
Примите участие
Помогите нам продолжать предоставлять ценные бесплатные инструменты
