2FA QR Code Generator

How to use

1. 1Enter the Issuer (the service name your users will see, like GitHub or AWS) and the Account label (an email or username). Avoid colons in either field.
2. 2Paste an existing Base32 secret or click Generate random secret. Pick 128- or 160-bit length for typical SaaS use; 256-bit for high-strength setups.
3. 3Choose OTP type. TOTP is right for almost every app; pick HOTP only if your server library is counter-based, then set the starting counter.
4. 4Set the algorithm, digits, and period (or counter) to match your server library. SHA-1, 6 digits, 30 seconds is the universal default.
5. 5Scan the QR with Google Authenticator, Authy, 1Password, or any compatible app. Or copy the otpauth URI and paste it into a setup link.
6. 6Print the grouped manual-entry secret next to the QR so users who cannot scan have a fallback. Download the QR as PNG or SVG for setup pages and onboarding emails.
7. 7Test the result by pasting the same secret into the TOTP Generator on this site to confirm the rotating code matches what the authenticator app shows.

About this tool

2FA QR Code Generator builds the standard otpauth:// provisioning URI and renders it as a scannable QR code so any RFC 6238 compliant authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, Duo Mobile, FreeOTP, Aegis, Bitwarden) can enroll a new two-factor entry in one scan. Pick TOTP (time-based, the dominant variant) or HOTP (counter-based, used by some hardware tokens and bank apps); set the issuer (the service name shown in the app) and account label (usually a username or email); paste an existing Base32 secret or generate a fresh 80-, 128-, 160-, or 256-bit random secret with the browser's crypto.getRandomValues. Tune algorithm (SHA-1 default, SHA-256, SHA-512), digits (6 default, 7, or 8), and TOTP period (15, 30, 60, 90 seconds) or HOTP starting counter to match your server library. The page emits the full otpauth URI using the Google Key Uri Format, with proper percent-encoding of the Issuer:Account label and matching issuer query parameter for maximum client interop, plus a printable manual-entry version of the secret grouped in fours for users who cannot scan and have to type the key. Adjust the QR appearance (error correction L/M/Q/H, module pixel size, quiet-zone margin, foreground and background colors) and export PNG or SVG for setup pages, posters, or onboarding emails. Inline validation flags invalid Base32 characters, undersized secrets (RFC 4226 recommends 80 bits or more), oversized secrets, empty issuer or account, colons in the label, and HOTP counters out of range, so the QR you ship is the one a real authenticator app will accept. Everything happens locally in your browser: the secret is generated, encoded, and rendered on this page and is never sent to a server. Pair this tool with the TOTP Generator on this site to verify that the codes your authenticator emits match what your server will compute from the same secret, and with the Backup Codes Generator to print one-time fallback codes for users who lose their phone.

Free to use. Works in your browser. No signup, no login.