TOTP vs HOTP: Which 2FA Code Type Are You Using?

Most people say "2FA code" as if every code works the same way. Under the hood, the two common one-time password methods are TOTP and HOTP. They look similar because both produce short numeric codes, but they refresh for different reasons.

The quick answer: TOTP changes with time, usually every 30 seconds. HOTP changes with a counter, usually after each successful use or button press. Most QR codes used by Google Authenticator-style apps are TOTP.

BaseToolbox's 2FA code generator is designed for standard TOTP secrets, otpauth:// URLs, and authenticator QR images. If a service gives you a time-based authenticator setup, this is the format you are probably using.

TOTP and HOTP in plain language

TOTP stands for Time-based One-Time Password. The code is calculated from a shared secret and the current time window. If your device clock is correct, the same secret produces the same code during that window. When the timer expires, the code changes.

HOTP stands for HMAC-based One-Time Password. It uses a shared secret and a counter. The counter moves forward when a new code is generated or accepted. If the server and the device disagree about the counter, the code may stop working until it is resynchronized.

Both methods are stronger than a password alone because an attacker needs more than the password. But the day-to-day behavior is different.

Feature	TOTP	HOTP
Code changes when	Time window changes	Counter advances
Common refresh	30 seconds	After use or request
Common in apps	Very common	Less common for consumer accounts
Main failure mode	Device clock drift	Counter out of sync
BaseToolbox support	Yes, for standard TOTP	Not the focus of the 2FA generator

How to know which one you have

Look at the setup URL or QR code. A standard authenticator QR often contains an otpauth://totp/... URL. That totp part means the account uses a time-based one-time password.

If the URL says otpauth://hotp/..., it is counter-based. You may also see a counter= parameter. That setup should be handled by an app or system that understands HOTP counter state.

If you cannot see the URL, look at the app behavior. A visible countdown ring or "refreshes in 30 seconds" behavior usually means TOTP. A code that changes only when you request the next code may indicate HOTP.

Why most authenticator apps use TOTP

TOTP fits normal login flows. You open the app, read the current code, enter it, and the server checks the same time window. There is no need to track how many codes you generated while offline.

That makes TOTP easier to recover from ordinary use. If you accidentally open the app ten times, nothing changes except time passing. With HOTP, repeated generation can move the counter forward, and the server may need a resync window to accept a later code.

TOTP is not magic, though. If your phone, laptop, or browser environment has the wrong time, the generated code may fail even when the secret is correct.

Where BaseToolbox fits

Use the 2FA code generator when you have a Base32 secret, an otpauth:// URL, or a QR code image for a standard TOTP account. The page parses issuer, account, period, digits, and algorithm settings in the browser.

Do not paste secrets from important personal accounts into random sites. BaseToolbox processes the secret locally in your browser, but the safer workflow is still to use it for testing, recovery checks, internal tools, or cases where you intentionally need a browser-side TOTP generator.

If the account uses proprietary push login, SMS, passkeys, or a vendor-specific approval flow, a TOTP generator may not apply.

Setup mistakes to avoid

Do not confuse backup codes with TOTP codes. Backup codes are usually fixed recovery codes generated by the service. TOTP codes are calculated repeatedly from a shared secret.

Do not assume every QR code is a TOTP QR code. Some QR codes enroll a device into a push-based authenticator system and may not contain a usable otpauth:// secret.

Do not ignore the clock. If the code is right on one device but wrong on another, check time synchronization before resetting 2FA.

FAQ

Is Google Authenticator TOTP or HOTP?

Most common Google Authenticator-style account setups use TOTP. The QR code often contains an otpauth://totp/... URL.

Can a TOTP code be generated without the phone?

Yes, if you have the original Base32 secret or otpauth:// URL. Use that carefully; anyone with the secret can generate valid codes.

Should I use HOTP for a new app?

For ordinary authenticator-app logins, TOTP is usually the expected choice. HOTP can still be useful in systems that intentionally manage counters.

TOTP and HOTP in plain language

Both methods are stronger than a password alone because an attacker needs more than the password. But the day-to-day behavior is different.

Feature	TOTP	HOTP
Code changes when	Time window changes	Counter advances
Common refresh	30 seconds	After use or request
Common in apps	Very common	Less common for consumer accounts
Main failure mode	Device clock drift	Counter out of sync
BaseToolbox support	Yes, for standard TOTP	Not the focus of the 2FA generator

How to know which one you have

Look at the setup URL or QR code. A standard authenticator QR often contains an otpauth://totp/... URL. That totp part means the account uses a time-based one-time password.

If the URL says otpauth://hotp/..., it is counter-based. You may also see a counter= parameter. That setup should be handled by an app or system that understands HOTP counter state.

Why most authenticator apps use TOTP

TOTP fits normal login flows. You open the app, read the current code, enter it, and the server checks the same time window. There is no need to track how many codes you generated while offline.

TOTP is not magic, though. If your phone, laptop, or browser environment has the wrong time, the generated code may fail even when the secret is correct.

Where BaseToolbox fits

If the account uses proprietary push login, SMS, passkeys, or a vendor-specific approval flow, a TOTP generator may not apply.

Setup mistakes to avoid

Do not confuse backup codes with TOTP codes. Backup codes are usually fixed recovery codes generated by the service. TOTP codes are calculated repeatedly from a shared secret.

Do not assume every QR code is a TOTP QR code. Some QR codes enroll a device into a push-based authenticator system and may not contain a usable otpauth:// secret.

Do not ignore the clock. If the code is right on one device but wrong on another, check time synchronization before resetting 2FA.

FAQ

Is Google Authenticator TOTP or HOTP?

Most common Google Authenticator-style account setups use TOTP. The QR code often contains an otpauth://totp/... URL.

Can a TOTP code be generated without the phone?

Yes, if you have the original Base32 secret or otpauth:// URL. Use that carefully; anyone with the secret can generate valid codes.

Should I use HOTP for a new app?

For ordinary authenticator-app logins, TOTP is usually the expected choice. HOTP can still be useful in systems that intentionally manage counters.

TOTP vs HOTP: Which 2FA Code Type Are You Using?

TOTP and HOTP in plain language

How to know which one you have

Why most authenticator apps use TOTP

Where BaseToolbox fits

Setup mistakes to avoid

FAQ

Is Google Authenticator TOTP or HOTP?

Can a TOTP code be generated without the phone?

Should I use HOTP for a new app?

Ready to try it yourself?

TOTP vs HOTP: Which 2FA Code Type Are You Using?

TOTP and HOTP in plain language

How to know which one you have

Why most authenticator apps use TOTP

Where BaseToolbox fits

Setup mistakes to avoid

FAQ

Is Google Authenticator TOTP or HOTP?

Can a TOTP code be generated without the phone?

Should I use HOTP for a new app?

Ready to try it yourself?