What Is Base32 Encoding? Why TOTP Uses It (Developer Explanation)

What Is Base32?

Base32 is an encoding scheme that converts binary data into a text string using exactly 32 characters: the uppercase letters A–Z and the digits 2–7. The result looks like: JBSWY3DPEHPK3PXP.

If you've ever set up 2FA and seen the option to "enter the code manually" instead of scanning a QR code, that long string of uppercase letters and numbers is a Base32-encoded TOTP secret.

The Base32 Character Set

A=0  B=1  C=2  D=3  E=4  F=5  G=6  H=7
I=8  J=9  K=10 L=11 M=12 N=13 O=14 P=15
Q=16 R=17 S=18 T=19 U=20 V=21 W=22 X=23
Y=24 Z=25 2=26 3=27 4=28 5=29 6=30 7=31

Notice what's missing: 0, 1, 8, and 9. These are excluded to avoid visual ambiguity with O (oh), I (eye), B, and the digit 8. This makes Base32 strings safer for humans to read and type without errors.

How Base32 Encoding Works

Base32 takes groups of 5 bits from the input binary and maps them to one character (2⁵ = 32 possible values). Since bytes are 8 bits:

• Every 5 bytes of input (40 bits) becomes exactly 8 Base32 characters
• If the input isn't a multiple of 5 bytes, padding characters (=) are added to reach the next multiple of 8 characters

Example: Encoding "Hi"

H = 01001000
i = 01101001

Binary: 01001000 01101001
Group into 5 bits: 01001 00001 10100 1(pad)

01001 = 9  → J
00001 = 1  → B
10100 = 20 → U
+ padding

Result: JBU= (with padding)

Base32 vs Base64: When to Use Each

Why TOTP Specifically Uses Base32

TOTP secrets (defined in RFC 4226 and RFC 6238) use Base32 for three reasons:

1. Human readability: Users sometimes need to manually enter the secret if they can't scan a QR code. Base32's case-insensitive, confusion-free character set minimises transcription errors.
2. No special characters: Base32 strings are safe in URLs, QR codes, configuration files, and any encoding context without escaping.
3. Compact enough: A 20-byte (160-bit) secret encodes to 32 Base32 characters manageable to type if needed.

Other Uses of Base32

• DNS records: DNSSEC uses Base32 for hashed owner names (NSEC3)
• Filenames: Content-addressable storage systems use Base32 hashes as filenames (no case sensitivity issues on Windows)
• Tor .onion addresses: v3 onion addresses are Base32-encoded (56 characters)
• Bitcoin addresses: Bech32 (a variant of Base32) is used for SegWit addresses

Encode and Decode Base32 Instantly

You can encode and decode Base32 strings directly in your browser with our free Base32 Encoder/Decoder. The conversion runs entirely client-side. Also useful for generating TOTP secrets: use our 2FA Secret Generator, which outputs properly formatted Base32 secrets ready for authenticator apps.

Frequently Asked Questions

Is Base32 the same as Base64?

No, they use different character sets and have different encoding ratios. Base64 is more space-efficient (33% overhead vs 60% for Base32) and more commonly used for binary-to-text encoding in general. Base32 is preferred when human readability and case-insensitivity matter, like in TOTP secrets.

Why does Base32 skip 0, 1, 8, and 9?

To prevent transcription errors when humans read or type the encoded string. 0 looks like O (letter), 1 looks like I or l, and 8 can be confused with B in some fonts. Using only 2–7 from the digits avoids all these ambiguities.

Is Base32 encoding the same as encryption?

No, encoding is not encryption. Base32 is a reversible representation change with no key or secret involved. Anyone who sees a Base32 string can decode it. For a TOTP secret, the security comes from keeping the Base32-encoded string confidential, not from Base32 itself providing any protection.

What is Base32 padding, and do I need it?

Padding (=) fills Base32 strings to multiples of 8 characters. Many implementations accept Base32 with or without padding. TOTP secret keys are typically displayed without padding (many authenticator apps accept either). When implementing, you should handle both cases.