Code generator

What is a code generator?

A code generator creates temporary, one-time passwords (OTP) for user authentication. It’s one part of a multi-factor authentication (MFA) system that confirms a person’s identity during login.

How does a code generator work?

A code generator relies on a shared secret key and a set of rules that use that key to create short, time-limited codes.

An online service generates a secret key and shares it with the code-generator app during setup, often via a QR code. The app usually stores the key on the user’s device, while the service keeps its copy. Both sides then compute codes locally using the same key and a changing factor and compare results during login.There are two main types of code generators, defined by what they use as that changing factor:

• Time-based one-time password (TOTP): The app uses the current time, divided into short intervals (usually 30 seconds), to create new codes automatically. Apps such as Google Authenticator and ExpressVPN Keys use this method, where they generate codes offline that refresh every interval. Users can enter any currently valid code without requesting it.
• HMAC-based one-time password (HOTP): The app uses a counter that increases with each login or authentication event to generate a new code. The code is triggered by user actions like login attempts.

During login, the app shows the current code, and the user enters it into the system. The system runs the same calculation with its copy of the key to check for a match.

Why is a code generator important?

A code generator forms the core of two-factor authentication (2FA) or MFA by adding a verification step beyond the password: the user needs to provide a username and password and then use the generator to gain access.

Each code also expires within seconds, so even if someone manages to see or steal a code, it becomes useless almost immediately. And if an attacker breaks into the device later, the codes they find no longer work because the generator constantly replaces them with new ones. This design makes it extremely difficult to reuse or predict valid login codes. (However, if an attacker gains full access to the unlocked device, they could potentially use the stored secret key to generate new codes.)

Where are code generators used?

Code generators support secure logins for both personal and business use, including:

• Online accounts: Services such as Google, Facebook, and Microsoft use code generators to confirm identity during login and protect user data.
• Banking and financial services: Banks and trading platforms rely on generated codes to verify transactions and secure account access.
• Virtual private network (VPN) apps and secure portals: Companies use code generators to authenticate employees before granting access to internal systems.
• Government and administrative systems: Public-sector portals use them to protect confidential records and citizen data.
• Any system using MFA: Code generators form a key part of MFA, adding a dynamic verification step to strengthen overall security.

Further reading

• What is two-factor authentication (2FA)?
• Differences between 2FA and MFA
• Phone number generators explained
• What is a QR code?