The trust question
When people hear “browser-based 2FA generator,” the first reaction is usually skepticism. And honestly, that’s the right instinct. If a website is generating your two-factor authentication codes, your secret keys are touching a web page. That feels risky.
But “browser-based” doesn’t automatically mean “insecure.” It depends entirely on how the tool is built. Some approaches are genuinely dangerous. Others are about as safe as a native app. The difference comes down to where the processing happens.
Client-side vs. server-side
This is the key distinction. A web-based TOTP tool can work in two very different ways:
Server-side processing means your secret key gets sent to a remote server, which generates the code and sends it back. This is bad. Your secret is now stored on or transmitted to someone else’s infrastructure. You’re trusting the server operator, their security practices, and every piece of software in between.
Client-side processing means everything happens in your browser. The JavaScript runs locally, generates the code on your machine, and your secret key never leaves your device. The web page is just a delivery mechanism for the code that runs on your computer.
A well-built browser TOTP tool uses client-side processing exclusively. Your secrets stay in your browser’s memory, get used to calculate a code, and that’s it. Nothing gets sent anywhere.
How to verify this yourself
You don’t have to take anyone’s word for it. Open your browser’s developer tools (F12 on most browsers), go to the Network tab, and watch what happens when you enter a secret key and generate a code. If no requests go out, the tool is client-side.
You can also test by disconnecting from the internet entirely. Load the page, go offline, then enter a secret and generate a code. If it works, nothing is being sent to a server.
For open-source tools, you can read the source code directly. The TOTP algorithm is short and well-documented (it’s based on RFC 6238), so it’s not hard to verify that the implementation matches the spec and doesn’t include any data exfiltration.
The Web Crypto API
Modern browsers include the Web Crypto API, a built-in set of cryptographic functions that run natively in the browser. This means a web-based TOTP generator doesn’t need to rely on third-party crypto libraries. It can use the same battle-tested cryptographic primitives that the browser itself uses for HTTPS connections.
The Web Crypto API provides HMAC-SHA1 (the hash function TOTP uses), and it runs operations in a way that’s designed to resist timing attacks. This is the same caliber of cryptographic implementation you’d find in a native desktop application.
Security trade-offs compared to native apps
Let’s be direct about what’s different between a browser tool and a dedicated authenticator app.
What native apps do better
Persistent secure storage. Mobile authenticator apps store your secrets in the operating system’s secure enclave or keychain. A browser tab doesn’t have access to that level of hardware-backed protection. When you close the tab, the data is gone (which is actually a feature in some contexts, but means you’ll need to re-enter secrets).
Isolation. A native app runs in its own sandbox. A browser tab shares the browser process with other tabs. A malicious browser extension, in theory, could access page content. This is true of any web application, not specific to TOTP tools.
Offline availability. You can always open a mobile app. A web tool needs to be loaded first, though many support offline use through service workers after the initial load.
What browser tools do well
No installation. You don’t need to download an app. This matters when you’re on a shared computer, a work machine where you can’t install software, or a temporary device.
Transparency. With a web tool (especially open-source ones), you can inspect exactly what code is running, right in the browser. Native apps are compiled binaries. You’re trusting the developer either way, but web apps are easier to audit.
Disposability. Close the tab and the secrets are gone from memory. There’s nothing persisted on disk, no database to get stolen if your device is compromised later. For temporary or one-time use, this is a genuine advantage.
Cross-platform. Works on any device with a browser. No compatibility concerns, no app store restrictions.
When a browser-based tool makes sense
A browser TOTP generator isn’t trying to replace your daily authenticator app. It fills different gaps:
- You’re at a computer where you can’t install apps and need to generate a code
- You’re setting up 2FA and want to verify that your secret key produces the correct codes before committing to a specific authenticator app
- You’re a developer testing TOTP integration in your own application
- Your phone died and you need access to an account using a backup secret key you stored securely
- You want a quick, zero-commitment way to see how TOTP codes work
For your primary, everyday 2FA needs, a dedicated authenticator app with encrypted backup is still the most practical choice. But a client-side browser tool is a solid option for the situations above.
What to look for in a browser-based TOTP tool
If you’re evaluating one, here’s what matters:
Client-side only. No network requests when generating codes. Verify this with developer tools.
Open source. You can read the code. Others can audit it. Bugs are found and fixed publicly.
Minimal dependencies. Fewer libraries means a smaller attack surface. The TOTP algorithm is simple enough to implement with just the Web Crypto API.
No accounts or registration. If a TOTP tool asks you to create an account, your secrets are probably being stored server-side.
HTTPS. The page should be served over HTTPS so the code can’t be tampered with in transit.
Try it yourself
2fa.zip is a browser-based TOTP generator that runs entirely client-side. No accounts, no server storage, open source. Enter a secret key, get a code. You can verify the client-side claim yourself using the methods described above.