Project Nayuki


Time-based One-Time Password tools

Introduction

The TOTP algorithm takes a secret key, a few configuration parameters (not sensitive), and the current timestamp. From these, it computes a seemingly random value that varies over time. This algorithm is defined in RFC 6238.

TOTP is used as a popular two-factor authentication (2FA) method for online services. The server and the user each have a copy of the secret key, so both sides can compute and verify the pseudorandom passcode. Because the passcode changes by the minute, an attacker who captures it (e.g. from keylogging or network sniffing) has only a short window to use it, unlike capturing a password which can be valid for months.

The old RSA SecurID token predates TOTP by decades and operates on the same technical principles. However, SecurID is proprietary and runs on a standalone battery-powered device, whereas TOTP is open source and typically runs as a smartphone app.

Program (JavaScript)

Basic input/output
Secret key: (Base32)
TOTP code:
Advanced options
Code length: (from 1 to 9)
Timestamp:
(Unix seconds)
Time epoch: (Unix seconds)
Time step: seconds

Source code

Each language version includes library functions, a main program, and a test suite.