TOTP Generator (RFC 6238)

Concept explaination by ItsMe Prince

------

Expires in 30s

Demo Secret (Base32)

JBSWY3DPEHPK3PXP

Shared secret between server and authenticator

How TOTP Works - Step by Step

Time Step Calculation

Current Unix timestamp divided by 30 seconds (default interval).time_step = floor(current_time / 30)

HMAC-SHA1 Computation

Secret key + time step processed through HMAC-SHA1 algorithm.hash = HMAC-SHA1(secret, time_step)

Dynamic Truncation

Extract 4-byte dynamic binary code from HMAC result using offset bits.offset = last_4_bits(hash)

Generate 31-bit Number

Convert truncated bytes to 31-bit unsigned integer.number = bytes_to_int(hash[offset:offset+4]) & 0x7FFFFFFF

Create 6-digit Code

Take modulo 1,000,000 to get 6-digit number, pad with zeros if needed.otp = number % 1,000,000

Mathematical Foundation

The TOTP algorithm follows this formula:

TOTP = HOTP(K, T) = Truncate(HMAC-SHA1(K, T)) mod 10^d

Where:

• K = Shared secret key

• T = Time step counter (current Unix time / 30)

• d = Number of digits (usually 6)

Time window: OTP valid for 30 seconds, ±1 window for clock drift

Both server and client generate same OTP using synchronized time

Offline Operation

Both device and server share the same secret. Since time is synchronized (using UTC), both can independently compute identical OTPs without network communication.

Secret exchanged once via QR code during setup

Algorithm uses time as the only changing input

Deterministic: Same time + same secret = same OTP

Security Properties

TOTP provides strong security through:

Time-based: OTPs expire in 30s, minimizing replay attack window
One-time use: Each code used only once, even within same time window
Forward secrecy: Compromised OTP doesn't reveal future codes
HMAC-based: Cryptographically strong hash function

This page exposes the secret for learning. In production, secrets are never shown after initial setup.

Production Implementation

Secure Storage • Secret encrypted in database, never logged
One-time QR • Setup QR shown once, then destroyed
Backend Validation • OTP verified server-side with time tolerance
Clock Sync • Servers use NTP with strict tolerance (±1-2 minutes)

Common Use Cases

2FA / MFA

Second factor for login security

Transaction Auth

Banking & financial transactions

API Access

Temporary API tokens

VPN Access

Secure network access

Hope you learn something new!

GitHub Repository

YouTube Channel

Based on RFC 6238 (TOTP) and RFC 4226 (HOTP)