Time-based One-time Password Algorithm

This page is a modified version of russau's JSFiddle. This website works in the browser and does not transmit any data. Check the GitHub page for more info.

This page contains a JavaScript implementation of the Time-based One-time Password Algorithm used by Google Authenticator and other OTP apps, described in the TOTP RFC Draft.

There are a lot of OTP applications available (check out Wikipedia's list). TOTP is an open standard, so you can use these apps to create one-time passwords for your own application. Some apps can add an OTP by scanning a QR code with a valid format.

This page implements the same OTP algorithm these apps use – you would use this same algorithm server-side to verify an OTP. Test it by setting the OTP Label and Base32 secret and scanning the QR code in your app. The OTP on your app should be the same as the one at the bottom of this page. (This browser and your app must be synchronized using an internet time source to generate the same OTP codes.)

The properties used below, as well as the QR code generated, are based on the OTP Key URI format by Google.

OTP properties

Label:

Secret: (in Base32)

Issuer: (optional)

QR Code options

background:

backgroundAlpha:

foreground:

foregroundAlpha:

Level: L M Q H

mime:

padding (pixels):

size (pixels):

value:

One-time Password

Updating in s

Time-based One-time Password Algorithm

OTP properties

One-time Password

Unix epoch div 30 (padded hex)

Secret (hex)

HMAC (secret, time)

QR Code

Permalink