HMAC-Based One-Time Password (HOTP)

The HMAC-based One-Time Password algorithm (HOTP) is a method for generating a [[One-Time Password (OTP)]] using a cryptographic hash function and a counter. HOTP is an open standard and is defined in the Request for Comments (RFC) 4226 by the Internet Engineering Task Force (IETF). It's widely used for authentication purposes, especially in systems that require strong security, such as online banking and corporate networks.

Both the server and the user have a pre-shared secret key. This key is usually set up when the user enrolls in the service. HOTP uses a counter as an input to the algorithm. The counter is typically a simple incrementing integer and is synchronized between the server and the user's token. Each time an OTP is generated, the counter is incremented.

The algorithm combines the shared secret key and the current counter value using a cryptographic hash function (typically SHA-1) to generate an HMAC (Hash-based Message Authentication Code).

The HMAC is then truncated to create a shorter value, which is the OTP. The truncation process ensures that the OTP is a manageable size, typically 6 to 8 digits. When a user attempts to authenticate, they enter the OTP generated by their device. The server, which also knows the secret key and the current counter value, generates its own OTP. If the server's OTP matches the user's OTP, the authentication is successful.

HOTP is considered secure because it uses strong cryptographic hash functions. The OTP is difficult to guess without access to the secret key and the current counter value. Unlike time-based OTPs, HOTP doesn't rely on time synchronization between the server and the client, which can be an advantage in environments where time sync is challenging.

Both the server and the client need to keep track of the counter state, which can be a disadvantage if the counter values on the server and the client become unsynchronized.

Info

HOTP is commonly used in hardware tokens (like key fobs) for two-factor authentication. When a user presses a button on the token, it displays a new OTP generated using the HOTP algorithm.

HOTP is similar to TOTP (Time-based One-Time Password) but, unlike TOTP, which generates OTPs based on a moving time window, HOTP generates OTPs based on a counter value. Each approach has its own advantages and is suited to different application requirements.