Home

HOTPs

HOTPs, or HMAC-based One-Time Passwords, are one-time codes generated from a shared secret key and a moving factor called a counter, as defined in RFC 4226. The code is produced by applying an HMAC (typically with SHA-1) to the secret and the counter, followed by dynamic truncation to yield a decimal value, usually presented as 6 or 8 digits.

In operation, the client and server each hold the same secret key. The counter represents a moving

Security and practical considerations include secure provisioning and storage of the secret, and careful management of

HO TP is commonly used in hardware tokens and software authenticator apps for two-factor authentication. It

factor
that
increments
with
each
authentication
attempt.
To
verify
an
OTP,
the
server
computes
the
same
HMAC
using
the
shared
secret
and
a
candidate
counter
value
(often
within
a
small
window
to
account
for
synchronization)
and
checks
whether
the
truncated
result
matches
the
presented
code.
If
verification
succeeds,
the
server
advances
its
state
or
records
the
counter
to
prevent
reuse.
the
counter
to
avoid
replay
or
desynchronization.
Since
HOTP
relies
on
a
counter
rather
than
wall
clock
time,
it
does
not
suffer
from
clock
drift,
but
it
requires
re-synchronization
if
devices
fall
out
of
sync.
If
a
secret
is
compromised,
an
attacker
who
knows
the
counter
sequence
can
generate
future
OTPs.
contrasts
with
TOTP,
which
uses
the
current
time
as
the
moving
factor
(RFC
6238)
rather
than
an
incrementing
counter,
making
HOTP
and
TOTP
complementary
approaches
in
secure
authentication
systems.