Content
Two-Factor Authentication QR Code Generator
Generate QR codes for setting up 2FA (two-factor authentication) in authenticator apps. Add an extra layer of security to your accounts.
How It Works
When you scan a 2FA QR code with an authenticator app like Google Authenticator, Authy, or 1Password, the app imports your secret key and begins generating time-based one-time passwords (TOTP) or counter-based passwords (HOTP). These codes change every 30 seconds (TOTP) and provide an additional security factor beyond your regular password.
Format Overview
2FA QR codes use the otpauth:// URI scheme, a standardized format for provisioning OTP credentials. The structure differs slightly between TOTP and HOTP:
TOTP (Time-Based) Format
otpauth://totp/GitHub:username?secret=JBSWY3DPEHPK3PXP&issuer=GitHub&algorithm=SHA1&digits=6&period=30HOTP (Counter-Based) Format
otpauth://hotp/Google:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Google&counter=0&algorithm=SHA1&digits=6Key parameters:
- Label: Format is
Issuer:Account(e.g., "GitHub:username") - secret: Base32-encoded shared secret (required)
- issuer: Service provider name (helps organize multiple accounts)
- algorithm: Hash algorithm (SHA1, SHA256, SHA512) - SHA1 is most compatible
- digits: Code length (6 or 8 digits) - 6 is standard
- period: TOTP only - seconds between code changes (default 30)
- counter: HOTP only - starting counter value (usually 0)
TOTP vs HOTP
- TOTP (Time-Based): Generates codes that expire every 30 seconds. This is the most common type used by services like Google, GitHub, AWS, and most modern 2FA implementations. No synchronization needed between client and server.
- HOTP (Counter-Based): Generates codes based on an incrementing counter. Each code is valid until used, and both the client and server must stay synchronized. Less common but useful for environments without reliable time synchronization.
Base32 Secret Encoding
The secret key must be Base32-encoded, which uses only uppercase letters A-Z and digits 2-7. This is different from Base64 encoding. Most services that support 2FA will provide you with a Base32-encoded secret when you enable 2FA. If you need to generate a random secret, use the "Generate random secret" button—it creates a cryptographically secure 160-bit Base32 key.
Compatible Authenticator Apps
- Google Authenticator: iOS and Android
- Authy: iOS, Android, Desktop - supports cloud backup
- Microsoft Authenticator: iOS and Android
- 1Password: Password manager with built-in TOTP support
- Bitwarden: Open-source password manager with TOTP
- FreeOTP: Open-source authenticator app
- AndOTP: Android-only, open-source with encryption
Security Best Practices
- Keep your secret secure: Never share your secret key with anyone. Anyone with your secret can generate valid codes.
- Save backup codes: When enabling 2FA on a service, save the backup/recovery codes in a secure location in case you lose access to your authenticator app.
- Use strong secrets: Generate cryptographically random secrets with at least 128 bits of entropy (20 Base32 characters).
- Test before finalizing: After scanning the QR code, verify that the generated codes work before completing the 2FA setup on the service.
- Document your setup: Keep a secure record of which accounts have 2FA enabled and which authenticator app you're using.
Common Algorithm and Digit Settings
While the generator allows customization, most services use these standard settings for maximum compatibility:
- Algorithm: SHA1 (most widely supported, despite being cryptographically weaker than SHA256/SHA512)
- Digits: 6 digits (easier to type than 8, still provides strong security with 1 million possible combinations)
- Period: 30 seconds (TOTP) - balances security and convenience
Typical Setup Flow
- Service provides you with a secret key (or you generate one for your own application)
- Generate a QR code with the secret and service details
- Scan the QR code with your authenticator app
- Authenticator app begins generating 6-digit codes every 30 seconds
- Enter the current code on the service to verify the setup
- Save backup/recovery codes provided by the service
When to Use Each Type
- Use TOTP for: Web services, cloud platforms, social media accounts, email accounts - any service where your device has accurate time
- Use HOTP for: Hardware tokens, embedded devices, systems without reliable time sources, or when you need codes to remain valid until used
View Raw Content
Appearance
Advanced Options
Output
QR code preview will appear here