Home

HOTP

HOTP stands for HMAC-based One-Time Password. It is an authentication method that generates a short numeric code from a shared secret key and a moving factor, typically used for two-factor authentication. The moving factor is called a counter and increments with each code generation or verification.

Mechanism and generation: HOTP uses a secret key (shared between client and server) and a counter as

Usage and verification: In practice, the client and server maintain synchronized counters. When a user presents

Standards and relationship to TOTP: HOTP is standardized in RFC 4226 and serves as the basis for

Security considerations: The secret key must be protected, and the counter and verification process should handle

inputs
to
an
HMAC
function,
usually
HMAC
with
SHA-1.
The
resulting
hash
undergoes
dynamic
truncation
to
produce
a
31-bit
binary
value,
which
is
then
reduced
modulo
10^digits
to
form
the
final
numeric
code.
Most
deployments
use
6
or
8
digits.
The
code
is
valid
for
a
specific
counter
value,
and
the
same
secret
and
counter
must
be
known
by
both
sides
to
verify
a
given
code.
a
code,
the
server
regenerates
HOTP
codes
for
the
current
and
nearby
counter
values
to
verify
it.
If
codes
fall
out
of
sync
due
to
missed
events,
resynchronization
methods
are
defined
to
re-align
the
counters.
HOTP
is
commonly
implemented
in
hardware
tokens
and
software
authenticator
apps,
where
the
user
generates
the
code
after
performing
a
trigger
or
event.
TOTP,
which
uses
a
time-based
moving
factor
(RFC
6238)
instead
of
a
counter.
While
HOTP
is
event-based,
TOTP
relies
on
synchronized
time
steps
to
produce
codes.
resynchronization
securely.
Longer
digit
lengths
increase
brute-force
resistance,
though
user
convenience
must
also
be
balanced.