Show HN: TOTP.fyi – debugging tool for app-based 2FA

This is a tool to debug &quot;app-based 2FA&quot;, which almost certainly uses the time-based one-time password (TOTP) algorithm these days. This is the type of 2FA that shows the QR code for your phone to scan, commonly involving apps like Google Authenticator or Authy. The QR code contains a base32-encoded secret and some information about the website and if some other setting is used instead of the default.<p>The way the algorithm works is by dividing the current Unix time by the time step (commonly 30 seconds), and generating an HMAC from that. That&#x27;s why most codes expire twice every minute at :00 and :30. However, to avoid clock synchronization issues, most websites will allow the codes from one or two time windows in the past or future.<p>This tool takes in the base32 secret and generates a bunch of OTPs, past, present, and future to help test those corner cases. By default, it uses the settings that most websites use: SHA-1, 6 digits, 30 second time steps, but those could be changed in the advanced settings.<p>Another use is when testing 2FA enablement repeated or creating throwaway testing accounts on apps that require 2FA setup, but you don&#x27;t want to pollute your authenticator app with all the test accounts. You can just paste the secret into this tool and get the codes immediately.<p>You can also use this as a crude &quot;authenticator app&quot; since the secret is stored in the URL hash and you can bookmark that. This is probably more suitable for scripts that create test accounts with 2FA than a long term solution for your important accounts.<p>While it&#x27;s a bit niche, I built this tool to address the pain points I ran into when testing TOTP, and I hope you&#x27;ll also find it useful or fun to play around with. You can enter any random base32 string to see it in action. I find it quite fun to reduce the time step to 1 or 2 seconds and watch the codes scroll by with that overengineered animation...<p>This is a simple frontend JavaScript app and the source code is available at <a href="https:&#x2F;&#x2F;github.com&#x2F;quantum5&#x2F;totp">https:&#x2F;&#x2F;github.com&#x2F;quantum5&#x2F;totp</a>.