Generate and validate time-based OTP (TOTP) and HMAC-based OTP (HOTP) for multi-factor authentication. Supports custom secrets and step intervals.
OTP is a password valid for only one session. TOTP generates a new code every 30 seconds using a shared secret and the current time.
TOTP is defined in RFC 6238 and uses HMAC-SHA1. Used by Google Authenticator and Authy.
TOTP (Time-based OTP) generates a code based on the current time, refreshing every 30 seconds — used by Google Authenticator. HOTP (HMAC-based OTP) uses an incrementing counter instead of time, suitable for hardware tokens and offline scenarios where clock sync is not guaranteed.
TOTP (time-based) is an extension of HOTP (counter-based), using the current timestamp instead of a counter. TOTP refreshes every 30 seconds — even if an OTP is intercepted it expires quickly — and is the standard used by Google Authenticator, Authy, and other apps. HOTP is based on an incrementing counter and does not require time synchronization, making it suitable for offline hardware tokens. Modern 2FA almost universally uses TOTP (RFC 6238).