Education

What Is a TOTP Secret Key and How Does It Work?

2026-03-11ยท 5 min readยท Steven Adams ยท Last reviewed: March 2026

When you set up two-factor authentication, you're shown a QR code or a string of letters and numbers. That string is your TOTP secret key โ€” and understanding what it is and how it works will help you use 2FA more securely.

In This Guide

  1. What Is a TOTP Secret Key?
  2. How It Generates Your 2FA Codes
  3. What It Looks Like
  4. Why You Must Keep It Secret
  5. How to Generate One Safely
  6. Backing It Up

What Is a TOTP Secret Key?

A TOTP (Time-based One-Time Password) secret key is a randomly generated string that is shared exactly once between you (or your authenticator app) and the service you're protecting. It's the foundation of how TOTP-based 2FA works โ€” every 6-digit code you see in your authenticator app is derived from this key.

The key is generated when you first set up 2FA. It's typically presented as a QR code (which encodes it in the otpauth:// URI format) or as a plain base32 string you can type manually. After setup, you never need to see or transmit the key again.

How It Generates Your 2FA Codes

TOTP codes are produced by combining two inputs: the secret key and the current time. Specifically, the current Unix timestamp is divided by 30 to produce a "time window" number. This number is then combined with the secret key using HMAC-SHA1 to produce a hash, and 6 digits are extracted from that hash.

Your authenticator app and the server both perform this calculation independently using the same secret key and the same clock. Because both calculations always produce the same result, the codes match โ€” without ever transmitting the code over a network. This is why TOTP works even with no internet connection.

You can verify this yourself: use the TOTP Secret Key Generator to create a key, then paste it into 2faco.com โ€” you'll see live codes generating every 30 seconds, all in your browser.

What It Looks Like

TOTP secret keys are encoded in base32 โ€” a character set that uses only uppercase letters Aโ€“Z and digits 2โ€“7. A typical key looks like: JBSWY3DPEHPK3PXP. Most keys are between 16 and 32 characters long. The minimum recommended length is 16 characters (80 bits of entropy); 32 characters (160 bits) is most common.

Spaces don't affect the key โ€” they're sometimes added in groups of 4 for readability. If you need to enter a key manually, remove all spaces first.

Why You Must Keep It Secret

Anyone who has your TOTP secret key can generate your 2FA codes at any time. This means they can bypass your second factor completely. The secret key should be treated with the same level of care as your password โ€” ideally more, since it's harder to change after the fact.

Never enter your TOTP secret key on any website you don't fully trust. Never share it via email or message. Legitimate services will never ask for it after initial setup. If you suspect a key has been compromised, disable and re-enable 2FA on that account immediately to generate a new key.

How to Generate One Safely

If you're implementing 2FA in your own application and need to generate secret keys for users, use a cryptographically secure random number generator. Our browser-based TOTP Secret Key Generator uses crypto.getRandomValues() โ€” the same API used by TLS โ€” to generate keys that are truly random and never transmitted anywhere.

In code: in Python, use pyotp.random_base32(). In Node.js, use speakeasy.generateSecret() or generate raw bytes with crypto.randomBytes() and encode as base32.

Backing Up Your Secret Key

Your TOTP secret key is the most important thing to save when setting up 2FA. If you lose access to your authenticator app and don't have the key or backup codes, you may be permanently locked out. Write the key down and store it somewhere physically secure โ€” a safe, or with important documents. Some password managers (like 1Password or Bitwarden) support storing TOTP secrets alongside passwords.

See also: 2FA backup codes explained โ€” the other safety net you should always save.

Related Articles

What the Secret Key Actually Is

The TOTP secret key (also called the TOTP seed) is a randomly generated string of bytes, typically 20 bytes (160 bits) long, that serves as the shared secret between you and the service you are authenticating with. When you scan a QR code during 2FA setup, that QR code encodes this secret key (along with the account name and issuer). Your authenticator app stores this key and uses it to calculate 6-digit codes. The service's server stores the same key. When you enter a code, the server runs the same calculation and verifies it matches.

The secret key is typically displayed in Base32 encoding โ€” a format using only uppercase letters A-Z and digits 2-7, making it easy to read aloud and type manually. A typical secret key looks like: JBSWY3DPEHPK3PXP. This is the text version of the key shown alongside QR codes, which you can use to manually add an account to your authenticator app if you cannot scan the QR code.

Why the Secret Key Must Stay Secret

The security of your 2FA depends entirely on the secrecy of this key. Anyone who obtains your secret key can install it in any TOTP authenticator app and generate valid codes for your account indefinitely. There is no expiry on a TOTP secret key โ€” once exposed, it remains valid until you disable and re-enroll 2FA on that account. This is why you should never screenshot a QR code and store it in a photo library, never type your secret key into untrusted websites, and never share it with anyone, including people claiming to be support staff.

Where Secret Keys Are Stored

Authenticator apps store secret keys in the device's protected storage. On iOS, this is the Keychain. On Android, this is the Android Keystore. These storage systems are isolated from other apps and encrypted using hardware-backed keys tied to your device. Rooted (Android) or jailbroken (iOS) devices bypass these protections, potentially exposing secret keys to malicious apps. Cloud-based authenticators like Authy encrypt secret keys before uploading them to the cloud, using a separate backup password that never leaves your device.

Frequently Asked Questions

Can I back up my TOTP secret key? Yes โ€” and you should. When setting up 2FA, save the text version of the secret key (shown alongside the QR code) in your password manager's secure notes. This lets you restore your 2FA codes on any new device without going through the service's account recovery process.

What happens to my secret key if I delete my authenticator app? On most platforms, deleting the app also deletes all stored secret keys. Before deleting your authenticator app, export your accounts or note down your secret keys. Google Authenticator has an export function. Authy backs up to the cloud automatically. If you delete without backing up, you will need to disable and re-enroll 2FA on each account using backup codes.

Is the secret key the same as a backup code? No โ€” these are different things. The secret key is the cryptographic seed used to generate all future TOTP codes. Backup codes are single-use emergency codes generated separately by the service. The secret key is permanent (until you re-enroll); backup codes are consumed when used.