Skip to main content
appkiro.com
Developer Tools

2FA Live

Generate Time-based One-Time Passwords (TOTP) in real-time. Paste your Base32 secret to see the current OTP, refreshing every period — compatible with Google Authenticator, Authy, and Microsoft Authenticator.

Practical guide

2FA Live is a real-time TOTP generator that turns one or more Base32 secrets into the same six-digit codes you would see in Google Authenticator, Authy, Microsoft Authenticator, or 1Password. Paste the secrets, click Get OTP, and the page shows each code alongside a countdown ring. Secrets stay in your browser — the HMAC signing runs locally through the Web Crypto API. If you also need to issue a fresh secret for a new account, generate a strong key first.

Where this fits

Backup access for personal accounts

When your phone is lost, factory reset, or stuck in a slow restore, paste the Base32 backup secret you saved during 2FA enrollment to log back into email, banking, GitHub, or cloud accounts without waiting for support recovery flows.

Shared service accounts on a team

Ops, finance, and devops teams often share access to billing portals, registrars, or admin dashboards that require 2FA. Storing the Base32 secret in a team password manager and using 2FA Live to generate the code keeps the workflow open to anyone authorised, without binding the account to one person's phone.

Backend and integration testing

Engineers building authentication flows can paste test secrets here to confirm that their server-side TOTP library produces the same code for the same time window. Pair with the JWT debugger when verifying that a TOTP-protected login mints a valid session token.

Verifying a 2FA enrollment QR before going live

When you generate an otpauth URL for a new account, paste the URL into 2FA Live to confirm that the algorithm, digits, and period match what the authenticator app expects before issuing the QR to a user. Build the QR image only after the secret produces correct codes.

How to use 2FA Live

  1. 1Paste your Base32 secretsOne per line. Plain Base32, labeled lines like Email: JBSW…, or full otpauth:// URLs with algorithm and period parameters are all accepted.
  2. 2Open Advanced when defaults differMost services use SHA-1, 6 digits, 30 seconds. Adjust the defaults in Advanced when an issuer documents SHA-256, SHA-512, or longer codes. otpauth:// URLs override the defaults per entry.
  3. 3Click Get OTPThe page parses each line, decodes the Base32 secret, and shows the current code with a per-row countdown. Codes refresh automatically when each row's period rolls over.
  4. 4Copy and paste into the login formUse the Copy button next to each code. The value is the same six-digit OTP your authenticator app would show at this moment.

Practical notes

Who this is for

2FA Live is for people who already have a Base32 secret and need a code right now: account owners with a saved backup, team members sharing access to a service account, security engineers debugging an integration, and anyone moving 2FA between devices. It is not a replacement for using a hardened authenticator app on your daily device.

Treat the secret like a password

Anyone with the Base32 secret can produce valid codes. Keep secrets in a trusted password manager, do not paste them into shared screens or chat threads, and rotate the secret if it leaks.

Clock drift breaks TOTP

TOTP depends on accurate system time. If 2FA Live's code does not match the service's expectation, check the device clock and time zone before assuming the secret is wrong.

SHA-1 default, sometimes overridden

Most services use SHA-1, 6 digits, 30 seconds. Some banks, enterprise SSO, and hardware tokens use SHA-256, SHA-512, or 7-8 digit codes. Match the issuer's parameters in Advanced or the codes will not validate.

Set up and verify 2FA

A reliable 2FA workflow ties together fresh secret generation, secret-to-QR encoding, real-time verification, and session-token inspection.

  1. 1

    Key Generator

  2. 2

    Verify the TOTP output here

  3. 3

    QR Code Generator

  4. 4

    JWT Debugger

Questions worth checking

Are my secrets uploaded to a server?

No. 2FA Live decodes Base32 and runs HMAC signing locally through the Web Crypto API. The secrets never leave your browser tab and the page does not send them anywhere.

Why is the code not matching my authenticator app?

Most often it is a clock drift on one device. As a second check, confirm that algorithm, digit count, and period match the issuer's settings — open Advanced or use an otpauth:// URL to set them precisely.

What characters are valid in a Base32 secret?

Letters A-Z and digits 2-7. Padding equals signs are ignored. Spaces, dashes, and lowercase letters are normalised automatically.

Can I use this with Google Authenticator codes?

Yes. Google Authenticator, Authy, Microsoft Authenticator, and 1Password all use the same TOTP algorithm. With default SHA-1, 6 digits, and a 30-second period, 2FA Live produces the same codes those apps would.

Does it support multiple accounts at once?

Yes. Paste one secret per line. Each row gets its own current code, period, and countdown. Mixing plain Base32 lines with full otpauth:// URLs in the same input is supported.

Does it support HOTP?

This tool focuses on TOTP (time-based). HOTP uses a counter you advance manually and is rare in modern 2FA flows.

Related tools

Key GeneratorGenerate JWT secrets, API keys, service tokens, passwords, and PEM-style key material locally in your browser with per-key regenerate and copy actions.
QR Code GeneratorCreate beginner-friendly QR codes for websites, text, Wi-Fi, phone, email, and contacts with EasyQRCodeJS loaded only on the QR tool page.
JWT DebuggerDecode, inspect, verify, and encode JSON Web Tokens with formatted header and payload output for API debugging.
Password GeneratorGenerate strong random passwords with length, character set, ambiguity, and batch options that run locally in your browser.
UUID GeneratorGenerate bulk UUIDs for v1, v3, v4, v5, v6, v7, and v8 with standard, uppercase, hyphenless, braces, URN, TXT, and JSON output.