Online OTP Check


An online generator for one-time passwords according to RFC 6238 (TOTP Algorithm, most common) and RFC 4226 (HOTP Algorithm). This online check is compatible with Google and Microsoft Authenticator Apps available for Android and iPhone. It is also compatible with other applications such as FreeOTP for example.

🚀 Download the free Verifyr App for managing one-time passwords for your 2FA.

TOTP Algorithm (RFC 6238)

🎉 This is the most common OTP

Time-based One-time Password (TOTP) is a time-based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a timestep. As a rule, timesteps tend to be 30 seconds or 60 seconds in length. If you haven’t used your password within that window, it will no longer be valid, and you’ll need to request a new one to gain access to your application.

TOTP is a time based one-time password. It lives only for a few seconds (the period). You just have to be sure that the clock of your server and your device are synchronized. This is the most common OTP.

How to generate TOTP online

  1. Create your TOTP secret (setup key)
  2. Create one-time passwords based on your secret
  3. Check your generated OTP if its still valid
#1 Create TOTP Secret

For e.g the users email address. You must set label before to generate ProvisioningURI/QR code

By default and to be compatible with Google Authenticator, the issuer is set in the query parameters and as the label prefix.

Some applications such as FreeOTP can load images from an URI (image parameter). It need to be a valid URL to an image.

ℹ The most common parameters used by services is a period of 30 seconds, sha1 alorithm and 6 Digits for your OTP code. If you are not sure what parameters are used by your service, always use this as default.

Set the period how long the OTP is valid, recommend is 30 seconds

You must verify that the algorithm you want to use is supported by the application your clients might be using.

How much digits should the OTP have

#2 Generate TOTP Code

Enter a generated TOTP (Time based) secret

What period used for the secret

What algorithm was used for the secret

How much digits set for your created secrete

#3 Check TOTP Code

Normally the secret is securly saved on server-side DB, however on test you have to enter manually

Based on your secret

What period used for the secret

What algorithm used for the secret

How much digits set for your created secrete


HOTP Algorithm (RFC 4226)

The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Put in layman’s terms, HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. Each time the HOTP is requested and validated, the moving factor is incremented based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server. The OTP generator and the server are synced each time the code is validated and the user gains access.

HOTP is a counter based one-time password. Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized

How to generate HOTP online

  1. Create your HOTP secret (setup key)
  2. Create one-time passwords based on your secret
  3. Check your generated OTP if its still valid
#1 Create HTOP Secret

HOTP is counter based so you need to define a start counter

For e.g the users email address. You must set label before to generate ProvisioningURI/QR code

By default and to be compatible with Google Authenticator, the issuer is set in the query parameters and as the label prefix.

Some applications such as FreeOTP can load images from an URI (image parameter). It need to be a valid URL to an image.

You must verify that the algorithm you want to use is supported by the application your clients might be using.

How much digits should the OTP have

#2 Generate HOTP Code

Enter a generated HOTP (Hash based) secret

Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized

What algorithm used for the secret

How much digits set for your created secrete

Check HOTP Code

Normally the secret is securly saved on server-side DB, however on test you have to enter manually

Based on your HOTP secret

HOTP is a counter based one-time password. Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized.

What algorithm used for the secret

How much digits set for your created secrete