When you are building or debugging two-factor authentication, you usually end up relying on third-party apps like Google Authenticator or Authy. That works fine until you need to test a flow programmatically, automate QA on a 2FA login, or verify that your TOTP implementation matches the standard without spinning up a full auth server.
Here is a local-only workflow that generates a test password, produces a TOTP code on demand, and verifies the end-to-end authentication hash — all without anything leaving your browser.
Why Test 2FA Locally
External authenticator apps are designed for end users, not developers. You cannot control the timing precisely, you cannot extract a specific TOTP value for automated testing, and you have no way to verify the underlying HMAC-SHA1 signature without native tooling. When you are integrating TOTP into your own system, you need deterministic, inspectable output you can reason about.
Running the full chain locally also means you are not sending test credentials or authentication seeds to any third-party service. For security-sensitive work, that matters.
The Tool Chain
This workflow uses three tools in sequence:
1. **Password Generator** — creates a strong, random secret to use as your test account password.
2. **TOTP Code Generator** — derives a time-based one-time password from an HMAC-SHA1 secret.
3. **Hash Generator** — computes a SHA-256 digest of your final token so you can verify it against expected output.
The full flow looks like this:
Input (test password) → Password Generator → TOTP Code Generator → Hash Generator → Output (verified auth hash)
Step-by-Step Workflow
Step 1 — Generate a Test Password
Open the Password Generator tool. Set length to at least 24 characters. Toggle all character sets on: uppercase, lowercase, numbers, symbols. Click Generate.
Copy the output. This is your test password for the session. Because it is generated entirely in your browser, no copy is sent anywhere.
Do not use a real password here — this is a throwaway test credential. The goal is to generate a strong, random value you control completely.
Step 2 — Produce a TOTP Code
Take the password you just generated. You now need to derive a TOTP from it.
The TOTP Code Generator tool accepts a base32-encoded secret. If your Password Generator output is raw ASCII, convert the first 32 characters to base32 manually, or use the password as the raw seed depending on your testing scenario.
Enter your secret into the TOTP Generator. Set the period to 30 seconds (the RFC 6238 standard) and the digits to 6 (also standard). The tool will produce a code like 482 917.
Note the current timestamp precision — the code is valid only within its 30-second window. If you are automating this, account for the window rollover.
Step 3 — Verify with a Hash
Take the TOTP code and append the test password. Feed that combined string into the Hash Generator using SHA-256.
You get back a fixed-length hexadecimal digest. This is your verification hash. In a real auth system, the server would compute the same hash on its side using the stored password and received TOTP — if the hashes match, authentication succeeds.
By generating the hash yourself, you can confirm the logic works as expected before integrating with any backend.
What This Actually Tests
This chain validates three things:
TOTP generation is deterministic. Given the same secret and timestamp, the TOTP Generator produces the same code. If you refresh and the code changes, that is the time window rotating — not a bug in the tool.
HMAC-SHA1 is applied correctly. TOTP relies on HMAC-SHA1 under the hood. The Hash Generator confirms the underlying primitive is working as expected when you trace through the math manually.
Your auth flow logic is sound. By producing input, running it through the chain, and computing a final hash, you have a concrete expected output you can check your implementation against.
Common Failure Points in Real 2FA Systems
After running this chain, you will be better equipped to diagnose real-world 2FA failures:
Time drift is the most common. If the server clock and the client clock are more than 30 seconds apart, TOTP windows misalign and codes appear invalid. Most production systems allow a ±1 window tolerance, but beyond that you get auth failures with no clear error message.
Base32 encoding errors trip up a lot of implementations. Spaces, case sensitivity, and padding all matter. A trailing = padding character that gets stripped will produce completely wrong TOTP values.
HMAC key handling is where most custom implementations break. The secret must be passed as raw binary bytes to the HMAC function, not as a string. Converting the secret to a string before hashing is the single most frequent mistake in hand-rolled TOTP code.
FAQ
Can the TOTP Generator work without an internet connection?
Yes. The tool runs entirely in your browser using JavaScript's Web Crypto API. No network requests are made and no data is transmitted anywhere. You can air-gap the entire workflow.
Is the HMAC-SHA1 output from the TOTP Generator cryptographically secure?
The implementation follows RFC 6238, which is the same standard used by Google Authenticator, Authy, and most hardware tokens. For testing and validating your own auth flows, it provides sufficient precision. It is not intended as a replacement for a hardware security key in production.
Why does the Hash Generator step matter if TOTP already works?
In a real authentication system, the server never stores the TOTP code itself — it stores the original secret and computes the expected hash on receipt of the code. By running the Hash Generator step yourself, you verify that the server-side computation matches the client-side output, which is how you catch implementation bugs before they reach production.
Wrap-Up
Testing 2FA does not require a cloud service, a third-party authenticator app, or any network connectivity. With a strong password, a TOTP code, and a verification hash, you can validate the full authentication chain in under a minute.
This workflow is especially useful during development and QA when you need reproducible, inspectable auth output. Keep it bookmarked — you will use it more than you expect.