Tool Pocket
Reset
Back

⏱️ Time-based One-Time Password (TOTP) Emulator

Emulate a Time-based One-Time Password (TOTP) from a secret key.

What is TOTP (Time-based One-Time Password)?

TOTP (Time-based One-Time Password) is a temporary passcode generated by an algorithm that uses the current time as one of its factors. It's a core component of two-factor authentication (2FA) systems, providing an additional layer of security beyond traditional passwords. TOTP codes are time-sensitive and automatically expire after a short period, typically 30 seconds.

Understanding TOTP Authentication

How TOTP Works

TOTP combines several elements to generate secure, time-based codes:

  • Secret Key: A shared secret between the server and authenticator app
  • Current Time: The current Unix timestamp
  • Time Step: A predefined interval (usually 30 seconds)
  • Hash Algorithm: Cryptographic hash function (SHA1, SHA256, SHA512)
  • Digit Count: Number of digits in the generated code (usually 6)

TOTP Generation Process

  1. Time Calculation: Divide current Unix time by the time step
  2. Hash Generation: Apply HMAC-SHA algorithm to the secret and time
  3. Code Extraction: Extract digits from the hash result
  4. Formatting: Format the result as a numeric code

Why Use TOTP?

TOTP provides essential security benefits:

  • Two-Factor Authentication: Adds a second layer of security
  • Time Sensitivity: Codes expire automatically, reducing risk
  • Offline Capability: Works without internet connection
  • Wide Compatibility: Supported by most authentication systems
  • Standards Compliance: Follows RFC 6238 standard
  • User Control: Users control their authenticator devices

Features of This TOTP Emulator

This comprehensive TOTP emulator provides:

  • QR Code Scanning: Scan QR codes to extract TOTP secrets
  • Real-time Generation: Generate TOTP codes in real-time
  • Customizable Parameters: Adjust algorithm, digits, and time period
  • Copy Functionality: Easily copy generated codes
  • Multiple Algorithms: Support for SHA1, SHA256, and SHA512

Usage Instructions

Setting Up TOTP

  1. Scan QR Code: Use camera to scan a TOTP QR code
  2. Upload QR Code: Alternatively, upload a QR code image
  3. Manual Entry: Enter secret key manually if needed
  4. Configure Settings: Adjust algorithm, digits, and period

Using Generated Codes

  1. View Current Code: See the current TOTP code
  2. Copy Code: Click to copy the code to clipboard
  3. Monitor Expiry: Watch the countdown timer
  4. Auto-refresh: Codes update automatically

Configuration Options

  • Algorithm: Choose SHA1, SHA256, or SHA512
  • Digits: Set number of digits (6-8)
  • Period: Set time step in seconds (usually 30)
  • Issuer: Set the service or application name

TOTP Standards and Specifications

RFC 6238 Standard

TOTP follows the RFC 6238 standard which defines:

  • Time Step: Default 30-second intervals
  • Hash Algorithms: HMAC-SHA1, HMAC-SHA256, HMAC-SHA512
  • Code Length: 6-8 digits
  • Time Window: Tolerance for clock skew

OTPAuth URI Format

TOTP secrets are often shared via OTPAuth URIs:

otpauth://totp/ServiceName:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=ServiceName&algorithm=SHA1&digits=6&period=30

QR Code Format

QR codes contain OTPAuth URIs with:

  • Service Name: Name of the service or application
  • Username: User identifier (email, username, etc.)
  • Secret Key: Base32-encoded secret
  • Parameters: Algorithm, digits, period, issuer

Common Use Cases

Account Security

  • Email Accounts: Gmail, Outlook, Yahoo
  • Social Media: Facebook, Twitter, Instagram
  • Financial Services: Banking, investment platforms
  • Cloud Services: Google Cloud, AWS, Azure

Business Applications

  • VPN Access: Secure remote access
  • Admin Panels: Administrative interfaces
  • API Security: Secure API access
  • Internal Systems: Corporate applications

Developer Tools

  • GitHub: Repository access
  • GitLab: Code repository security
  • Docker Hub: Container registry access
  • CI/CD Systems: Deployment security

Security Best Practices

Secret Management

  • Secure Storage: Store secrets securely on devices
  • Backup Strategy: Create secure backups of TOTP secrets
  • Device Security: Protect devices with strong passwords
  • Secret Rotation: Rotate secrets periodically

Usage Guidelines

  • Never Share: Never share TOTP codes or secrets
  • Time Synchronization: Ensure device clock is accurate
  • Backup Codes: Keep backup codes in a secure location
  • Multiple Devices: Consider using multiple authenticator apps

Implementation Security

  • Server Validation: Implement proper server-side validation
  • Time Tolerance: Allow for reasonable clock skew
  • Rate Limiting: Prevent brute force attacks
  • Audit Logging: Log authentication attempts

Technical Implementation

Algorithm Details

SHA1 (Default):

  • Most widely supported
  • 160-bit hash output
  • Compatible with most services

SHA256:

  • Stronger cryptographic security
  • 256-bit hash output
  • Recommended for new implementations

SHA512:

  • Highest security level
  • 512-bit hash output
  • Used by some high-security applications

Code Generation Formula

Time Synchronization

  • NTP Servers: Use Network Time Protocol for accuracy
  • Clock Skew: Allow tolerance for device clock differences
  • Time Windows: Validate codes within acceptable time range

Troubleshooting

Common Issues

  • Clock Synchronization: Ensure device time is accurate
  • Secret Format: Verify secret is properly Base32 encoded
  • Algorithm Mismatch: Check if correct algorithm is selected
  • Time Step: Verify time period matches server configuration

Error Resolution

  • Invalid Code: Check all configuration parameters
  • QR Code Issues: Ensure QR code is clear and complete
  • Manual Entry: Double-check secret key entry
  • Service Support: Verify service supports TOTP

Advanced Features

Multiple Accounts

  • Account Management: Store multiple TOTP accounts
  • Quick Switching: Switch between different services
  • Account Labels: Organize accounts with descriptive names

Export and Backup

  • Secret Export: Export secrets for backup
  • QR Code Generation: Generate QR codes for setup
  • Backup Codes: Generate recovery codes

Security Considerations

  • Device Security: Protect the device running the emulator
  • Network Security: Use secure networks when scanning QR codes
  • Secret Exposure: Never expose secrets in logs or screenshots
  • Physical Security: Protect physical access to devices

Technical Specifications

  • Standard Compliance: RFC 6238 TOTP standard
  • Algorithm Support: SHA1, SHA256, SHA512
  • Code Length: 6-8 digits configurable
  • Time Step: 30 seconds (configurable)
  • QR Code Support: Standard QR code scanning
  • Compatibility: Works with all TOTP-compatible services