2FA Code Generator

Paste your secret key, get a TOTP code. Runs entirely in your browser — nothing is sent to a server.

🔒 Client-side only ⚡ No account needed 📡 Works offline
Your secret key never leaves your device. Nothing is stored or transmitted.

Why use 2FA.zip?

A fast, private way to generate TOTP codes when you need them.

Nothing leaves your browser
Your secret key is processed entirely on your device using the Web Crypto API. No server, no network request, no logging.
Instant code generation
Paste your key and get a working 6-digit code in under a second. Auto-refreshes every 30 seconds.
Works without internet
Load the page once, then go offline. TOTP codes are generated from your device clock — no connection required.
No cookies or storage
Nothing is written to cookies, localStorage, or any database. Close the tab and your key is gone.
Use it anywhere
Works on any device with a modern browser — phone, tablet, laptop, desktop. No app install needed.
Standards compliant
Uses the same RFC 6238 TOTP algorithm as Google Authenticator, Authy, and every major authenticator app.

How to generate 2FA codes

Three steps. No sign-up, no download, no hassle.

1
Find your secret key
Open your account's 2FA settings. Look for the setup key or "can't scan QR code" option to reveal the text secret.
2
Paste it above
Enter the base32 key into the field at the top of this page. Spaces and dashes are automatically removed.
3
Get your code
A 6-digit code appears instantly. It refreshes every 30 seconds, so you always have a current one ready.

What is a TOTP code?

TOTP stands for Time-based One-Time Password. It is a method for generating short-lived codes that prove you have access to a shared secret, without sending that secret over the internet every time you log in.

When you enable two-factor authentication on an account, the service gives you a secret key. Your authenticator app (or this tool) combines that key with the current time and runs them through a hash function (HMAC-SHA1). The output is truncated to a 6-digit number. Because both sides know the secret and the time, they both arrive at the same code independently.

Codes change every 30 seconds. Once a window passes, that code is dead. This is why TOTP is a meaningful upgrade over SMS-based two-factor authentication — with SMS, codes are sent in plaintext over the phone network, where they can be intercepted through SIM swapping or SS7 exploits. TOTP codes never travel over a network at all.

The algorithm is defined in RFC 6238 and is the same standard used by Google Authenticator, Microsoft Authenticator, Authy, and pretty much every other authenticator app on the market.

Security & privacy

Everything happens in your browser. When you enter a secret key, it goes straight into the Web Crypto API on your device. No network requests, no server processing, no third-party scripts touching your key.

We do not set cookies, write to localStorage, or log anything about your visit beyond anonymous page-view analytics. Your secret key exists in memory only while the page is open. Close the tab and it is gone. There is no "remember me" option on purpose.

Because the tool runs entirely client-side, it keeps working after you go offline. Load the page once, disconnect, and generate codes for as long as you need. Your device's clock is the only external dependency.

Works with every TOTP-compatible service

If your account supports an authenticator app, it works here.

Google GitHub Discord AWS Microsoft Binance Steam Coinbase Facebook Dropbox GitLab Slack Reddit Twitch LinkedIn Shopify WordPress 1Password Cloudflare + thousands more

Frequently asked questions

What is a 2FA setup code?
A 2FA setup code (also called a secret key) is a base32-encoded string your service gives you when you turn on two-factor authentication. It is the shared secret that both your authenticator and the service use to generate matching codes. You usually get it as a QR code, but there is always a text version you can copy instead.
How often does the code refresh?
Every 30 seconds. The TOTP standard ties code generation to the current time, split into 30-second windows. When the timer runs out, a new code is calculated automatically. The old code stops working once the next window starts (most services allow a small grace period).
Is this tool secure?
Yes. Your secret key never leaves your browser. All code generation happens locally using the Web Crypto API built into your browser. We do not send your key to any server, and nothing is stored in cookies, localStorage, or any database.
Does this work offline?
It does. After the page loads once, you can disconnect from the internet and the generator keeps working. The codes are computed entirely on your device using the current time, so no network connection is needed.
What if my code doesn't work?
The most common cause is a clock that is off by more than 30 seconds. Check that your device time is set to sync automatically. Also double-check that you copied the full secret key with no extra spaces. Some services are case-sensitive about their keys.
Is this compatible with Google Authenticator?
Yes. This tool uses the same TOTP algorithm (RFC 6238) as Google Authenticator, Microsoft Authenticator, Authy, and every other standards-compliant authenticator app. Any secret key that works with those apps will produce the same codes here.
How is this different from an authenticator app?
An authenticator app stores your secret keys so you do not have to re-enter them each time. This tool does not store anything. It is useful when you need a code quickly, when you are on a device without your authenticator app, or when you want to verify a key during setup.
Can I use this for multiple accounts?
You can generate codes for any account, one at a time. Paste in a different secret key and you get the code for that account. Since we do not store keys, you will need to enter each one manually every time.
What is TOTP vs HOTP?
TOTP (Time-based One-Time Password) generates codes based on the current time. HOTP (HMAC-based One-Time Password) generates codes based on a counter that goes up by one each time you use it. TOTP is more widely used today because the code expires automatically, while HOTP codes stay valid until they are used.
Do you store my secret key?
No. We do not store, log, or transmit your secret key in any way. It exists only in your browser's memory while you are on the page. Close the tab and it is gone.

From the blog

Guides, tutorials, and security tips for two-factor authentication.

Best Authenticator Apps Compared: Google vs Microsoft vs Authy

A practical comparison of the most popular authenticator apps. Features, backup options, and which one works best for different needs.

Read more

How Two-Factor Authentication Works: A Beginner's Guide

A straightforward explanation of two-factor authentication for people new to online security. What 2FA is, why it matters, and how to set it up.

Read more

Is a Browser-Based 2FA Generator Safe?

Can you trust a web-based TOTP generator with your secret keys? A technical look at client-side processing, security trade-offs, and when it makes sense.

Read more