OTP

What is an OTP?#

OTP stands for One-Time Password, which is essential for Two-Factor Authentication and Multi-Factor Authentication. These tokens can be generated offline by combining a constant seed (shared secret key) and a moving factor.

HOTP (HMAC-based One-Time Password)#

HOTP uses an event-based counter as its moving factor.

• Setup: Scanning a QR code shares a random secret between the server and the app.
• The Counter: Starts at zero and increments each time a code is requested.
• Generation: Uses HMAC-SHA1 to combine the secret and counter, producing a 160-bit output that is dynamically truncated to a 6 or 8-digit code.
• Desyncing: If codes are generated but unused, the app’s counter gets ahead of the server. Servers typically look ahead 4 to 5 values to sync. If pushed too far, the 2FA must be reset.
• Use Cases: Legacy systems and embedded hardware tokens that do not have an internal clock.

TOTP (Time-based One-Time Password)#

TOTP uses time as its moving factor, replacing the sequential counter.

• Generation: Calculates a sequence using the current Unix time divided by a time gap (usually 30 seconds). This is passed into the same HMAC function as HOTP.
• Validation: Checks codes against the current time window with a short grace period for clock drift. It prevents reuse by demanding strictly newer codes.
• Use Cases: The modern standard for almost all online services.

Which is better?#

TOTP is generally preferred and used for modern applications. HOTP remains useful strictly for devices lacking a clock. The service provider typically decides which method to use, but both rely on the Secure Hashing Algorithm and significantly improve account security.