How to Generate a 2FA Code From a Secret Key

Updated 2026-06-21

To generate a 2FA code from a secret key, paste the TOTP secret (the long string of letters and numbers a site shows when you set up two-factor authentication) into a TOTP authenticator. It instantly produces the current 6-digit code and refreshes it every 30 seconds — the same number a phone authenticator app would show.

What a TOTP secret key is

When a website turns on two-factor authentication, it gives you a shared secret — usually displayed as a QR code, with a "can't scan it?" link revealing the raw key. That key is a Base32 string like JBSWY3DPEHPK3PXP, often shown in spaced groups of four characters. TOTP (Time-based One-Time Password) feeds that secret plus the current time through an HMAC algorithm to produce a short-lived code. Because both the server and your device know the secret and agree on the clock, they compute the same number independently — no network call required.

Generate a code in three steps

1. Open the TOTP / 2FA Authenticator and paste your Base32 secret. Spaces and lowercase letters are fine; they get normalized automatically.
2. Read the 6-digit code that appears. A countdown shows how many seconds remain in the current 30-second window before it rolls over.
3. Type the code into the login prompt before the timer expires. If you're close to the boundary, wait for the next code so it doesn't expire mid-typing.

That's it. The code is valid for the standard 30-second step that nearly every service uses (Google, GitHub, AWS, Microsoft, and most others follow the same RFC 6238 default of 6 digits and SHA-1).

Common pitfalls

• Wrong code every time? Your device clock is probably off. TOTP is time-based, so even a 60-second drift produces invalid codes. Sync your system clock and try again.
• Non-standard setups. A few services use 8-digit codes, a 60-second period, or SHA-256/SHA-512. If a site specifies those, match the settings — otherwise the default 6-digit / 30-second / SHA-1 combination is correct.
• Treat the secret like a password. Anyone holding the secret can generate valid codes forever. Store it in a password manager, and don't paste it into random websites you don't trust.

Why doing it locally matters

A 2FA secret is effectively a permanent skeleton key to your account, so where you type it is critical. This tool runs entirely in your browser — the secret is processed by JavaScript on your own device and is never uploaded to a server. Nothing is logged, stored remotely, or transmitted. That makes it safe for a quick code when you don't have your phone handy, for testing 2FA during development, or for keeping a backup generator for a critical account.

It's also handy as a backup if you ever lose access to your phone but still have the original secret key saved — you can recover working codes without it.

Ready to get a code? Open the TOTP / 2FA Authenticator, paste your secret, and read off the current number.

Try the TOTP / 2FA Authenticator →