Q: Is my secret key safe?
Yes. All processing happens entirely in your browser using the Web Crypto API. Your secret key is never transmitted to any server. You can verify this by inspecting the network traffic in your browser's developer tools.
Q: What is a Base32 secret key?
Base32 is an encoding scheme that uses the characters A-Z and 2-7 to represent binary data. It is the standard encoding for TOTP secret keys because it is case-insensitive and avoids ambiguous characters. Most authenticator apps expect the secret in Base32 format.
Q: Why does the code change every 30 seconds?
The default time period for TOTP is 30 seconds, as defined in RFC 6238. This provides a balance between security (codes expire quickly) and usability (enough time to read and enter the code). Some services use 60 seconds for a longer window.
Q: Which algorithm should I use?
SHA-1 is the most widely supported algorithm and is the default for most authenticator apps including Google Authenticator. SHA-256 and SHA-512 offer stronger cryptographic security but are not supported by all services. Use SHA-1 unless your service specifically requires a different algorithm.
Q: What is the otpauth:// URI?
The otpauth:// URI is a standard format for encoding TOTP parameters (secret, algorithm, digits, period, issuer) into a single string. This URI can be embedded in a QR code for easy scanning by authenticator apps. It follows the format defined by Google Authenticator.
Q: Can I use this tool to set up 2FA for my accounts?
This tool is primarily for testing and development purposes. When setting up 2FA for real accounts, always use a dedicated authenticator app (Google Authenticator, Authy, etc.) that securely stores your secret keys. Never share your secret keys or store them in plain text.
Q: My generated code doesn't match my authenticator app. Why?
Ensure that the secret key, algorithm, digits, and time period match exactly between this tool and your authenticator app. Also verify that your device clock is synchronized — TOTP relies on accurate time. Even a few seconds of clock drift can cause mismatches.