HOTP

HMAC-based One-Time Password

An algorithm for generating one-time passwords (OTPs) for authentication purposes. HOTP is the foundation upon which the TOTP (Time-based One-Time Password) algorithm is built. Key points about HOTP:

1. Algorithm: HOTP uses a cryptographic hash function (usually HMAC-SHA1) and a shared secret key to generate a unique password based on a counter value.
2. Counter-based: Each password is generated using a counter that increments after each use. The server and the user’s device keep track of the counter independently.
3. Shared secret: The server and the user’s device share a secret key, which is used along with the counter value to generate the same password independently.
4. Password generation: The HMAC function takes the shared secret key and the counter value as inputs and generates a fixed-length output. A portion of this output is then converted into a 6-8 digit decimal number, which serves as the one-time password.
5. Synchronization: The server and the user’s device must maintain a synchronized counter for the system to work correctly. If the counters become out of sync, the generated passwords will not match.

The main difference between HOTP and TOTP is that HOTP uses a counter value, while TOTP uses the current time to generate passwords. TOTP is generally considered more secure and convenient, as it does not require the server and the user’s device to keep track of the counter state.

HOTP is defined in RFC 4226 and is used in various authentication systems, including hardware tokens and software-based authenticator apps.

• Abbreviation: HOTP