When you set up two-factor authentication, you're shown a QR code or a string of letters and numbers. That string is your TOTP secret key โ and understanding what it is and how it works will help you use 2FA more securely.
In This Guide
What Is a TOTP Secret Key?
A TOTP (Time-based One-Time Password) secret key is a randomly generated string that is shared exactly once between you (or your authenticator app) and the service you're protecting. It's the foundation of how TOTP-based 2FA works โ every 6-digit code you see in your authenticator app is derived from this key.
The key is generated when you first set up 2FA. It's typically presented as a QR code (which encodes it in the otpauth:// URI format) or as a plain base32 string you can type manually. After setup, you never need to see or transmit the key again.
How It Generates Your 2FA Codes
TOTP codes are produced by combining two inputs: the secret key and the current time. Specifically, the current Unix timestamp is divided by 30 to produce a "time window" number. This number is then combined with the secret key using HMAC-SHA1 to produce a hash, and 6 digits are extracted from that hash.
Your authenticator app and the server both perform this calculation independently using the same secret key and the same clock. Because both calculations always produce the same result, the codes match โ without ever transmitting the code over a network. This is why TOTP works even with no internet connection.
You can verify this yourself: use the TOTP Secret Key Generator to create a key, then paste it into 2faco.com โ you'll see live codes generating every 30 seconds, all in your browser.
What It Looks Like
TOTP secret keys are encoded in base32 โ a character set that uses only uppercase letters AโZ and digits 2โ7. A typical key looks like: JBSWY3DPEHPK3PXP. Most keys are between 16 and 32 characters long. The minimum recommended length is 16 characters (80 bits of entropy); 32 characters (160 bits) is most common.
Spaces don't affect the key โ they're sometimes added in groups of 4 for readability. If you need to enter a key manually, remove all spaces first.
Why You Must Keep It Secret
Anyone who has your TOTP secret key can generate your 2FA codes at any time. This means they can bypass your second factor completely. The secret key should be treated with the same level of care as your password โ ideally more, since it's harder to change after the fact.
Never enter your TOTP secret key on any website you don't fully trust. Never share it via email or message. Legitimate services will never ask for it after initial setup. If you suspect a key has been compromised, disable and re-enable 2FA on that account immediately to generate a new key.
How to Generate One Safely
If you're implementing 2FA in your own application and need to generate secret keys for users, use a cryptographically secure random number generator. Our browser-based TOTP Secret Key Generator uses crypto.getRandomValues() โ the same API used by TLS โ to generate keys that are truly random and never transmitted anywhere.
In code: in Python, use pyotp.random_base32(). In Node.js, use speakeasy.generateSecret() or generate raw bytes with crypto.randomBytes() and encode as base32.
Backing Up Your Secret Key
Your TOTP secret key is the most important thing to save when setting up 2FA. If you lose access to your authenticator app and don't have the key or backup codes, you may be permanently locked out. Write the key down and store it somewhere physically secure โ a safe, or with important documents. Some password managers (like 1Password or Bitwarden) support storing TOTP secrets alongside passwords.
See also: 2FA backup codes explained โ the other safety net you should always save.