Hash Lab

Application

TOTP authenticator

The math behind Google Authenticator, Authy, Microsoft Authenticator, 1Password TOTP, and every other authenticator app. RFC 6238 specifies a six-digit code from HMAC-SHA-1(secret, ⌊time/30⌋) with a dynamic truncation step. Watch it tick.

Default is the standard RFC 6238 test vector. Any base32 string works.

Current TOTP code · refreshes in 26s

Unix time

1779809014

Counter ⌊t/30⌋

59326967

Algorithm

HMAC-SHA-1, 6 digits, 30s

RFC 6238 in five steps

  1. Decode the base32 secret into bytes.
  2. Compute the counter T = ⌊unix_time / 30⌋.
  3. Encode T as 8 big-endian bytes.
  4. Compute HMAC-SHA-1(secret, T_bytes).
  5. Dynamic-truncate to 31 bits, take mod 106, zero-pad to 6 digits. Done.