ToolBelt

TOTP Authenticator

Save TOTP secrets and watch live 6-digit codes rotate.

Open tool

Overview

The TOTP Authenticator stores the shared secrets that two-factor authentication services give you when you enable an authenticator app, and it generates the rotating 6-digit codes from them in real time. Each saved entry is associated with a service and an account, and the unlocked view shows the current code, a countdown to the next rotation, and a one-click copy action. It is a focused alternative to a heavyweight authenticator app, useful as a desktop companion when your phone is across the room or out of charge.

The use case is straightforward, but the trust model deserves a moment. TOTP secrets are sensitive. Anyone with access to them can produce valid codes. The authenticator encrypts every secret in the browser with a passphrase you choose, and only ciphertext is written to local storage. Without the passphrase the data is unreadable; with the passphrase you are back where you started. As with any 2FA setup, keep backup codes and a recovery method elsewhere, because losing access to a secret means losing 2FA for that account.

How it works

You add an entry by pasting the base32 secret the service provided, or by entering it from the QR code's text representation. The authenticator stores it encrypted. The unlocked view recomputes each code on a 30-second window, showing the current code and a visible countdown to the next rotation. Search and labels make it easy to find a specific entry among many.

Entries live in your browser's local storage. Locking clears the decrypted state from memory; re-entering the passphrase decrypts again.

Examples

  • Storing the TOTP secret for a personal email account, with a label that includes the email address.
  • Holding a backup of a server's sudo-2FA secret, labelled with the host name, for emergency desktop access.
  • Saving codes for two cloud-provider accounts, separated by environment in the label.
  • Keeping a code for a rarely-used service that issues TOTP, so you avoid the recovery dance the next time you log in.

FAQ

How is the secret stored?
A key derived from your passphrase encrypts each secret before it is written to local storage.

Can I import existing TOTP secrets?
Yes, you can paste the base32 secret. Some services display this text alongside the QR code; otherwise check the recovery dialog.

Will the codes match my phone's app?
Yes, assuming the same secret and accurate device clocks. TOTP codes are standardised on RFC 6238.

What if I lose the passphrase?
The encrypted secrets are unrecoverable. Always keep service-provided backup codes in another place.

Is this safer than SMS 2FA?
For most threats, yes. TOTP is resistant to SIM-swap and phishing-by-relay attacks that catch SMS codes.

Try TOTP Authenticator

An unhandled error has occurred. Reload ×