TOTP & HOTP

TOTP (одноразовый пароль на основе времени, RFC 6238) и HOTP (одноразовый пароль на основе HMAC, RFC 4226), два RFC, которые реализует каждый QR-код регистрации 2FA. Схема URI otpauth://, де-факто стандарт Google Authenticator, поддерживаемый всеми основными приложениями-аутентификаторами.

Спецификация TOTP:RFC 6238 (time-based, 2011).
Спецификация HOTP:RFC 4226 (counter-based, 2005).
Схема URI:Google Authenticator Key URI Format, the format every authenticator agrees on.

Что это такое

QR-код регистрации 2FA, это URL в схеме otpauth://, содержащий общий секрет и идентифицирующие метаданные. Формат:

otpauth://TYPE/LABEL?secret=SECRET&issuer=ISSUER&algorithm=ALG&digits=N&period=SEC

TYPE, totp (time-based) or hotp (counter-based).
LABEL, Issuer:Account, URL-encoded. Example: GitHub:alice@example.com.
secret, the shared key, Base32-encoded (RFC 4648 §6 alphabet: A-Z, 2-7).
issuer, the service name, shown in the authenticator app. Redundant with the label but improves UX on apps that don't parse the label.
algorithm, SHA1 (default), SHA256, or SHA512. Every authenticator supports SHA1; fewer support SHA256/SHA512.
digits, 6 (default) or 8. Most consumer apps expect 6.
period, TOTP only. 30 (default) or 60 seconds. HOTP has a counter parameter instead.

Эталонные тестовые векторы

Case	Inputs	Expected otpauth:// URI
TOTP, minimal (SHA1, 6 digits, 30 s)	`issuer=GitHub account=alice@example.com secret=JBSWY3DPEHPK3PXP`	`otpauth://totp/GitHub:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=GitHub`
TOTP, SHA256, 8 digits	`issuer=Corp account=bob secret=JBSWY3DPEHPK3PXP algorithm=SHA256 digits=8`	`otpauth://totp/Corp:bob?secret=JBSWY3DPEHPK3PXP&issuer=Corp&algorithm=SHA256&digits=8`
HOTP, counter=0	`issuer=YubiKey account=carol secret=JBSWY3DPEHPK3PXP counter=0`	`otpauth://hotp/YubiKey:carol?secret=JBSWY3DPEHPK3PXP&issuer=YubiKey&counter=0`
TOTP, RFC 6238 reference secret	`issuer=Example account=test secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ digits=8`	Standard RFC test secret (`12345678901234567890`). Produces TOTP `94287082` at T=59 s.

Онлайн-валидатор секрета Base32

Приложения-аутентификаторы отклоняют секреты, содержащие символы за пределами алфавита Base32 (A-Z, 2-7). Ниже тот же валидатор, который Abundera встраивает в генератор TOTP, работает в вашем браузере.

Секрет Base32

Введите секрет для проверки.

Распространённые ошибки

Base32 is not Base64. Base64 uses A-Z, a-z, 0-9, +, /, any of those lowercase letters or digits 0, 1, 8, 9 in your secret means you were handed a Base64 string and it'll be rejected by every authenticator.
Secret length. RFC 4226 §4 recommends at least 128 bits (26 Base32 chars) for HOTP and 160 bits (32 chars) for TOTP. Secrets under 80 bits (16 chars) are technically legal but flagged weak.
Algorithm support varies. Google Authenticator ignores the algorithm parameter and always uses SHA1. For SHA256/SHA512 to actually take effect, your users must be on 1Password, Authy, Bitwarden, or Microsoft Authenticator.
Digits support varies. Most authenticators ignore digits=8 and silently truncate to 6. If 8-digit OTPs matter (banking, some government apps), test your target authenticator before rolling out.
URL-encode the label. Special characters in issuer or account (:, @, space) must be percent-encoded in the label, or older authenticators drop the label entirely. Abundera handles this automatically.
Never reuse secrets. Every account gets a fresh cryptographically-random secret. Reusing a secret across services means a compromise at one breaks all of them.
Storage matters more than the QR. The QR is a one-time bootstrap. The authenticator app stores the secret after the first scan. If that secret is later exported in plain text (some authenticators do this), one disk leak = every 2FA compromised.

Совместимость с аутентификаторами

App	TOTP SHA1	TOTP SHA256/512	HOTP	8-digit	Notes
Google Authenticator	Yes	Ignored	Yes	Ignored	The de facto baseline. Always targets this first.
1Password	Yes	Yes	Yes	Yes	Full RFC support.
Authy	Yes	Yes	No	Yes	Drops HOTP in newer versions.
Bitwarden	Yes	Yes	Yes	Yes	Full RFC support.
Microsoft Authenticator	Yes	Yes	Yes	Yes	Full RFC support.
YubiKey Authenticator	Yes	Yes	Yes	Yes	HOTP is the canonical YubiKey mode.
Duo Mobile	Yes	Ignored	No	Ignored	Uses its own push flow; TOTP is fallback only.

Смотрите также

/totp-2fa-qr-code/, the TOTP generator with Base32 validator inline.
/hotp-qr-code/, HOTP counter-based variant.
/standards/, back to the standards index.

Ссылки на спецификации проверены 2026-04-18. RFC 6238 (2011), RFC 4226 (2005), Google Key URI Format.