Which phone app should I use?

**All popular ones** scan our QR: - **Google Authenticator**: Android/iOS, free - **Microsoft Authenticator**: free - **Authy**: free, multi-device sync - **1Password**: paid, password-manager integration - **Bitwarden Authenticator**: open source - **Aegis**: Android, open source, best for privacy - **Raivo OTP**: iOS, open source

Will this secret work in my application?

**Yes** if your app uses a standard TOTP library (otplib, speakeasy, twofactor). When configuring the backend, **use the secret in base32 form** (32 chars). **Default parameters** (SHA-1, 6 digits, 30s) work in every library. For SHA-256/512 verify your server supports it.

Does the secret leave the browser?

**No**. Secret generation (Web Crypto API), base32 encoding, QR (bwip-js in-browser): **all local**. **DevTools → Network** = no requests. The secret **never leaves the device**.

SHA-1 vs SHA-256 vs SHA-512?

**SHA-1**: RFC 6238 default, supported **EVERYWHERE**. Although SHA-1 is "cryptographically broken", in **HMAC-TOTP it doesn't matter in practice** (no time for collision attacks within the 30s window). **SHA-256/512**: stronger but some legacy 2FA apps don't support them. **Stick with SHA-1** unless you specifically need stronger.

**Standard = 6 digits** (10^6 = 1M combos). **8 digits** = 100M, much harder to guess. **But** most TOTP servers expect **6, not 8**. Check your app docs before changing.

What if I lose my Authenticator phone?

**If you saved the secret** (paper backup): add it to a new Authenticator app, get **the same codes**. **If not**: TOTP recovery is impossible. Use [backup codes](/en/backup-codes-generator). **Without backup codes** only the service's account-recovery (email, SMS, support) remains. **Lesson**: **always save secret + backup codes** once at 2FA setup.

Can I use the same secret on multiple devices?

**Yes**. The secret is a key, **any device whose Authenticator has the same secret** generates **the SAME codes**. You can have Authenticator on phone + laptop + the secret on paper. **All three** give you the same 6-digit code at the same time. **A feature, not a bug**, gives you redundancy in case you lose the phone.

TOTP 2FA Secret Generator - free

QR code to scan

Secret (base32)

-

Type it in by hand if the app cannot read the QR.

otpauth:// URI

Issuer

Service name shown in the app.

Account

Your email or login in the account list.

Algorithm

Digits

Period

Safest compatibility: SHA-1, 6 digits, 30 s. Some apps do not support SHA-256 or 8 digits.

Secret generated locally, never sent to a server.

Generate backup codes too

How do I add 2FA (Google Authenticator) to my app?

Generates a TOTP secret for 2FA: a random key + ready-to-scan QR code for Google Authenticator, Authy, 1Password, Microsoft Authenticator, Aegis.

The RFC 6238 standard: 160-bit base32 secret + the standard "otpauth://totp/..." URI used by every popular 2FA app.

Perfect for adding 2FA to your own app, testing integrations, migrating 2FA between authenticators.

How to use it

"Issuer" = app/service name (e.g. "MyService", "Bank ABC"). Shows up as the title in Authenticator.

"Account" = user identifier (e.g. "jan@company.com"). Shows under the issuer.

Leave the defaults SHA-1, 6 digits, 30s, the industry standard. Every popular Authenticator supports it.

Scan the QR with the Authenticator app on your phone. Or copy the secret and type it as "Setup Key".

The phone starts showing 6-digit codes refreshing every 30s.

Save the secret somewhere safe (paper, password manager). Without it, if you lose the phone, you can't recover. Also generate backup codes for extra protection.

When this is useful

Four typical situations where a TOTP secret generator solves a concrete problem:

Building your own app with 2FA. Generate a per-user secret, store it server-side; here you can test the flow before plugging in a library like otplib/speakeasy.
Migrating Google Authenticator → Authy/1Password/Aegis. Import via QR.
Adding 2FA to tools that don't natively support it (your own VPS, private services via SSH-OTP).
Education. See exactly what an otpauth URI looks like, what fields are required, how base32 encodes the secret.

For end users: if a service (Google, GitHub) generates a QR for you, you don't need this tool, use their built-in flow.

Questions and answers

TOTP (Time-based One-Time Password): the RFC 6238 standard for two-factor authentication. The Authenticator app stores a shared secret with the server; every 30 seconds it computes a 6-digit code from the secret + current time. The server does the same and compares. An attacker who knows your password but doesn't have the Authenticator phone can't log in.

How do I add 2FA (Google Authenticator) to my app?

Generates a TOTP secret for 2FA: a random key + ready-to-scan QR code for Google Authenticator, Authy, 1Password, Microsoft Authenticator, Aegis.

The RFC 6238 standard: 160-bit base32 secret + the standard "otpauth://totp/..." URI used by every popular 2FA app.

Perfect for adding 2FA to your own app, testing integrations, migrating 2FA between authenticators.

How to use it

"Issuer" = app/service name (e.g. "MyService", "Bank ABC"). Shows up as the title in Authenticator.

"Account" = user identifier (e.g. "jan@company.com"). Shows under the issuer.

Leave the defaults SHA-1, 6 digits, 30s, the industry standard. Every popular Authenticator supports it.

Scan the QR with the Authenticator app on your phone. Or copy the secret and type it as "Setup Key".

The phone starts showing 6-digit codes refreshing every 30s.

Save the secret somewhere safe (paper, password manager). Without it, if you lose the phone, you can't recover. Also generate backup codes for extra protection.

When this is useful

Four typical situations where a TOTP secret generator solves a concrete problem:

Building your own app with 2FA. Generate a per-user secret, store it server-side; here you can test the flow before plugging in a library like otplib/speakeasy.
Migrating Google Authenticator → Authy/1Password/Aegis. Import via QR.
Adding 2FA to tools that don't natively support it (your own VPS, private services via SSH-OTP).
Education. See exactly what an otpauth URI looks like, what fields are required, how base32 encodes the secret.

For end users: if a service (Google, GitHub) generates a QR for you, you don't need this tool, use their built-in flow.

Questions and answers

TOTP 2FA Secret Generator

How do I add 2FA (Google Authenticator) to my app?

How to use it

When this is useful

Questions and answers

Related tools

2FA Backup Codes Generator

Password Generator

QR Code Generator

TOTP 2FA Secret Generator

How do I add 2FA (Google Authenticator) to my app?

How to use it

When this is useful

Questions and answers

Related tools

2FA Backup Codes Generator

Password Generator

QR Code Generator