Online Authenticator Check

🎉 This is the most common OTP

Time-based One-time Password (TOTP) is a time-based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a timestep. As a rule, timesteps tend to be 30 seconds or 60 seconds in length. If you haven’t used your password within that window, it will no longer be valid, and you’ll need to request a new one to gain access to your application.

TOTP is a time based one-time password. It lives only for a few seconds (the period). You just have to be sure that the clock of your server and your device are synchronized. This is the most common OTP.

How to generate TOTP online

1. Create your TOTP secret (setup key)
2. Create one-time passwords based on your secret
3. Check your generated OTP if its still valid

#1 Create TOTP Secret

Set a label

For e.g the users email address. You must set label before to generate ProvisioningURI/QR code

Set an issuer

By default and to be compatible with Google Authenticator, the issuer is set in the query parameters and as the label prefix.

Additionally add issuer as query parameter?

Image

Some applications such as FreeOTP can load images from an URI (image parameter). It need to be a valid URL to an image.

ℹ The most common parameters used by services is a period of 30 seconds, sha1 alorithm and 6 Digits for your OTP code. If you are not sure what parameters are used by your service, always use this as default.
Period in seconds

Set the period how long the OTP is valid, recommend is 30 seconds

Algorithm md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256 sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b crc32c fnv132 fnv1a32 fnv164 fnv1a64 joaat murmur3a murmur3c murmur3f xxh32 xxh64 xxh3 xxh128 haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5

You must verify that the algorithm you want to use is supported by the application your clients might be using.

Digits

How much digits should the OTP have

Create TOTP Secret

---

#2 Generate TOTP Code

Generate a new TOTP Code

Enter a generated TOTP (Time based) secret

Period in seconds

What period used for the secret

Algorithm

What algorithm was used for the secret

Digits

How much digits set for your created secrete

Generate TOTP Code

---

#3 Check TOTP Code

Secret

Normally the secret is securly saved on server-side DB, however on test you have to enter manually

Generated TOTP Code to auth

Based on your secret

Period in seconds

What period used for the secret

Algorithm

What algorithm used for the secret

Digits

How much digits set for your created secrete

Check TOTP Code

---

The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Put in layman’s terms, HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. Each time the HOTP is requested and validated, the moving factor is incremented based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server. The OTP generator and the server are synced each time the code is validated and the user gains access.

HOTP is a counter based one-time password. Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized

How to generate HOTP online

1. Create your HOTP secret (setup key)
2. Create one-time passwords based on your secret
3. Check your generated OTP if its still valid

#1 Create HTOP Secret

Set Start Counter

HOTP is counter based so you need to define a start counter

Set a label

For e.g the users email address. You must set label before to generate ProvisioningURI/QR code

Set an issuer

By default and to be compatible with Google Authenticator, the issuer is set in the query parameters and as the label prefix.

Additionally add issuer as query parameter?

Image

Some applications such as FreeOTP can load images from an URI (image parameter). It need to be a valid URL to an image.

Algorithm md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256 sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b crc32c fnv132 fnv1a32 fnv164 fnv1a64 joaat murmur3a murmur3c murmur3f xxh32 xxh64 xxh3 xxh128 haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5

You must verify that the algorithm you want to use is supported by the application your clients might be using.

Digits

How much digits should the OTP have

Create HOTP

---

#2 Generate HOTP Code

Generate a new HOTP Code to auth

Enter a generated HOTP (Hash based) secret

Counter

Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized

Algorithm

What algorithm used for the secret

Digits

How much digits set for your created secrete

Generate

---

Check HOTP Code

Secret

Normally the secret is securly saved on server-side DB, however on test you have to enter manually

Generated HOTP Code to auth

Based on your HOTP secret

Counter

HOTP is a counter based one-time password. Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized.

Algorithm

What algorithm used for the secret

Digits

How much digits set for your created secrete

Check

---