Hero Background

Next-Gen App & Browser Testing Cloud

Trusted by 2 Mn+ QAs & Devs to accelerate their release cycles

Next-Gen App & Browser Testing Cloud

Free 2FA Code Generator Online - TestMu AI (Formerly LambdaTest)

Generate TOTP (Time-based One-Time Password) codes from your secret key for services like Google, Facebook, Instagram, and others, fully in your browser.

2FA Secret Key

Enter the 2FA secret key from the service you want to use. Spaces and formatting will be cleaned automatically.

Used only to label the QR code so your authenticator app shows a recognizable name.

Advanced Options

Your secret key is never stored on our servers and is only processed on your device.

What is a 2FA (TOTP) Code Generator?

Two-factor authentication (2FA) adds a second step to logging in: after your password, a service asks for a short, frequently-changing code. This tool turns the Base32 secret key a service gives you into that code, a Time-based One-Time Password (TOTP), exactly like an authenticator app such as Google Authenticator, Microsoft Authenticator or Authy. Everything is computed locally in your browser using the Web Crypto API, so your secret never leaves your device.

How TOTP Works

  • The current Unix time is divided by the period (usually 30 seconds) to get a counter value.
  • An HMAC (SHA-1, SHA-256 or SHA-512) is computed over that counter using your secret key.
  • A standard dynamic truncation step turns the HMAC into a number, which is reduced to the configured number of digits (6, 7 or 8).
  • Because the counter advances with time, the code automatically refreshes every period, the bar below the code shows the time remaining.

How to Use This Tool

  • When setting up 2FA, choose “enter key manually” / “can’t scan QR code” to reveal the Base32 secret.
  • Paste it into the 2FA Secret Key field.
  • Leave the defaults (SHA-1, 6 digits, 30s) unless your service specifies otherwise, adjust them under Advanced Options if needed.
  • Click Generate Code and copy the current code before the timer runs out.

Key Features

  • 100% client-side: codes are generated in your browser; nothing is uploaded.
  • TOTP and HOTP: supports both time-based and counter-based modes.
  • Configurable: SHA-1/256/512, 6–8 digits, 30/60-second periods.
  • Live countdown: see exactly how long the current code is valid.
  • Recent keys: stored only in your browser’s local storage, never on our servers.

Difference Between TOTP and HOTP

Both are one-time password algorithms from the same family, but they differ in what drives the code. This tool generates either; the table shows when to pick each.

AspectTOTP (time-based)HOTP (counter-based)
Moving factorThe current time divided by the periodA counter that increments per use
When the code changesAutomatically every period (usually 30s)Only when the counter advances
Needs an accurate clockYes, client and server clocks must agreeNo, but the counters must stay in sync
StandardRFC 6238RFC 4226
Typical useMost app and website loginsHardware tokens and some legacy systems

Use Cases for the 2FA Code Generator

The generator is handy whenever you need a one-time code without your phone, and it pairs with the other free security tools from TestMu AI.

Frequently Asked Questions (FAQs)

What is a 2FA / TOTP code generator?

A 2FA code generator turns a service’s Base32 secret key into a Time-based One-Time Password (TOTP), the same 6-digit code an authenticator app shows. The code changes every 30 seconds and is used as the second factor when logging in.

Is my secret key safe? Is anything sent to a server?

Your secret key never leaves your device. All HMAC and code generation happens locally in your browser using the Web Crypto API. Recent keys are kept only in your browser’s local storage.

Where do I find my 2FA secret key?

When a service shows a QR code to set up 2FA, look for a “can’t scan the code?” or “enter key manually” option that reveals a Base32 secret (letters A–Z and digits 2–7). Paste that here, spaces and formatting are cleaned automatically.

What do the algorithm, digits and period options mean?

Most services use the defaults: SHA-1, 6 digits and a 30-second period. Some use SHA-256/SHA-512, 7–8 digits, or a 60-second period. If a code is rejected, confirm these settings match what your service expects.

What is the difference between TOTP and HOTP?

TOTP (time-based) derives the code from the current time, so it changes automatically every period. HOTP (counter-based) derives the code from a counter value that increments each time a code is used. This tool supports both.

Why does my code not match the one in my authenticator app?

The most common cause is an incorrect device clock, TOTP relies on accurate time. Make sure your system clock is synced. Also verify the algorithm, digit count and period match the service’s settings, and that you pasted the full secret key.

Can I add the key to my phone with the QR code?

Yes. After you generate a code, a QR code that encodes the otpauth URI appears. Scan it with Google Authenticator, Authy, or any compatible app to add the account to your phone without typing the secret.

Should I use this as my only place to store 2FA secrets?

No. Treat this tool as a convenience for testing and recovery, not a vault. Keep your secrets in a dedicated authenticator app or password manager, and store backup codes somewhere safe.

Did you find this page helpful?

TestMu AI forEnterprise

Get access to solutions built on Enterprise
grade security, privacy, & compliance

  • Advanced access controls
  • Advanced data retention rules
  • Advanced Local Testing
  • Premium Support options
  • Early access to beta features
  • Private Slack Channel
  • Unlimited Manual Accessibility DevTools Tests