Authenticator apps, hardware tokens, and SMS codes are common authentication methods you’d encounter when setting up two-factor authentication (2FA). All of them rely on one-time passwords (OTP). TOTP and HOTP are two standardized types of OTPs, while SMS and email codes are other common OTP delivery methods. Although they fundamentally serve the same basic purpose, their implementations differ, giving them unique benefits and limitations. In this article, we’ll break down HOTP vs TOTP vs OTP and explain which option makes most sense for different use cases.
Understanding HOTP, TOTP, and OTP
One-time password (OTP)
OTPs are temporary codes, sometimes referred to as single-use passwords or 2FA codes, that are used only once. They don’t replace passwords; instead, they provide an additional layer of security. OTPs are commonly used in banking applications for identity verification during logins or when setting up an online account.
Note: OTP is the umbrella term for various forms of single-use passwords, including TOTP, HOTP, and email/SMS.
Time-based one-time password (TOTP)
TOTP codes are typically 6-digit codes generated by authenticator apps. They’re valid for around 30 seconds (sometimes up to 60 seconds, depending on the service). When a code expires, it is no longer functional, and a new one is generated. The time-based nature of TOTP makes it highly secure, as it limits the window of opportunity for attackers to use any stolen code.
HMAC-based one-time password (HOTP)
HOTPs are commonly found in hardware tokens like YubiKeys and rely on a counter-based system to generate codes. This system works in a similar fashion to a book of numbered vouchers — there’s a running order of codes that gets matched against the system. As long as the hardware token and application server remain in sync, you’re granted access.
Unlike TOTP, HOTP codes do not expire on a timer. They remain valid until you use it or generate a new code. This makes it ideal for offline scenarios, but it also means if you generate a code and don’t use it, it remains a valid key that an attacker could find and use.
HOTP, TOTP, and OTP: Key differences
TOTP and HOTP are both types of OTPs with different generation methods. For example, if you’re comparing TOTP against OTP, you’re likely comparing the time-based codes from authenticator apps against general OTP methods like SMS and email codes.
| SMS/Email codes | TOTP | HOTP | |
| Code validity | Varies (minutes to hours) | 30 to 60 seconds | Until a new code is generated |
| Security* | Low | High | Moderate |
| Setup complexity | None | Low | Moderate |
| Active network requirement | Yes | No | No |
| Additional hardware | None | None | Hardware token |
*Security level based on code validity windows and interception risk.
Security
HOTP, TOTP, and OTP offer different levels of security, with the key considerations being exposure time and transmission method.
TOTP generally offers stronger security than SMS or email codes, as codes are generated on device and have a short validity. If attackers somehow get your TOTP code, it becomes useless.
HOTP is built on a cryptographic foundation, providing solid security. However, because HOTP codes don’t expire on a timer, the potentially long validity windows could make stolen codes a vulnerability.
SMS and email codes are the least secure of the bunch. They travel over networks that can be intercepted or redirected, making them more vulnerable to SIM swap or phishing attacks..
Note: No OTP method is immune to social engineering attacks, such as phishing. It’s important to know how to spot phishing to properly defend yourself.
| SMS/Email codes | TOTP | HOTP |
| Susceptible to interception due to active network requirements | Minimal time for attackers to exploit stolen codes | Long validity offers extended attack opportunities |
| Unencrypted platforms make codes easier to steal | Lower interception risk, as codes are generated on device | Solid security built on a cryptographic foundation |
User experience
Setup complexity, time pressure, and reliability affect the user experience of the three methods.
TOTP is reliable and convenient. Setup is straightforward (often simply a QR code scan), and codes are generated even without an active network. However, the short code expiry creates time pressure, which can cause frustration for slower users or those managing multiple accounts.
HOTP is much more relaxed in comparison, with zero time constraints. Setup is much more complex, though, and may involve purchasing additional hardware.
SMS and email codes are the most effortless, with no setup, but they rely on network connectivity, which can cause delays during outages or disruptions.
| SMS/Email codes | TOTP | HOTP |
| No setup required | Simple setup via QR code with a 2FA authenticator | Complex setup, may require additional hardware |
| Slight time pressure, with some codes expiring in hours | Time pressure can cause frustration | No time pressure |
| Wholly dependent on an active network for code delivery | Works reliably even without a network connection | Works offline, but sync issues may occur |
Limitations
The unique limitations of each method will affect how and when you use them. SMS and email codes work with your existing devices, but their dependence on your network and internet connections can cause delays with code delivery that might even last longer than their validity.
TOTP does not require a network connection to generate codes, but it does require your smartphone to be time-synchronized with the server for your code to work. The best way to ensure this is to have your device’s clock automatically sync with the internet. So, when you’re travelling, the time sync remains in place.
With HOTP, generating new codes offline can be beneficial when network connectivity is poor. This is a double-edged sword, however. Regenerating codes without using them can cause your device to fall out of sync with the server, creating authentication failures. Also, the manual regeneration required with HOTP places a huge security onus on the user.
| SMS/Email codes | TOTP | HOTP |
| Areas of poor network can cause significant delays in code delivery | Device time needs to be in sync with server time, even when travelling | Can go out of sync if too many codes are generated but not used |
Which OTP method should you use?
The short answer is that TOTP is the best standard for most people, while HOTP serves specific offline needs. Both are superior to SMS.
While individual needs vary, TOTP appears to be the more balanced choice in most situations. The time-based nature provides an additional layer of security, and smartphone-enabled accessibility makes it a convenient and secure choice for the accounts you regularly access. But, for even stronger protection against phishing, hardware-based methods like FIDO2/passkeys go further than any OTP method.
Store passwords and generate OTPs securely
Managing passwords and TOTP authentication codes can be a hassle — constant app switching during logins reduces the already limited time you have to enter codes. Proton Pass is a secure password manager that reduces this friction with our integrated 2FA (TOTP) functionality. Access your passwords, 2FA codes, and more from one secure, encrypted vault.
