What is HOTP? A guide to HMAC-based one-time passwords

If you’ve ever used a hardware token to approve digital banking transactions or tapped on a YubiKey to generate a login code, you’ve used HMAC-based one-time password (HOTP) technology. To help you understand how you can use HOTP to protect your accounts, we’ll explore how HOTP works, its benefits and limitations, and compare it with other OTP methods.

What is HOTP? 

HOTP stands for HMAC-based one-time password. It’s a two-factor authentication (2FA) method that generates single-use login codes on demand.

HMAC, or Hash-based Message Authentication Code, is a cryptographic technique that uses a secret key and a hashing function to produce a secure, tamper-resistant value. HOTP applies HMAC together with a counter to ensure that each authentication code is unique and can only be used once.

Because HOTP codes remain valid until used or replaced, they are well-suited for remote work and other environments where reliable time synchronization or constant connectivity isn’t possible.

How does HOTP work? 

HOTP authentication is based on two shared components: a secret key and a counter. Both the user’s device and the authentication server store these values and use them to independently generate the same one-time code.

Setup: When a hardware token is set up, a secret key is shared between the device and the application server and stored securely on both sides.

Generating a code: The device uses a cryptographic hash function called HMAC to combine the secret key with the current counter value. The result is a short, unpredictable one-time password.

Authentication: When you enter the HOTP code, the server performs the same calculation using its own copy of the secret key and counter. If the codes match, access is granted.

The HOTP counter system explained

HOTP relies on a unique counter system shared between your device and the authentication server. Each time you generate a new code, the counter increments. After a successful login, the server updates its counter as well. As long as the device and server counters stay in sync, the codes will match and grant you access.

Think of HOTP as a book of numbered vouchers that you tear off and use in sequence. A used voucher can’t be reused, and you must use the next one. The HOTP counter system operates similarly.

HOTP authentication vs. other OTPs 

HOTP vs. OTP 

One-time passwords (OTP) is a broad term for the various single-use passwords we utilize for 2FA. HOTP is a specific type of OTP that relies on a counter-based system to generate its codes.

HOTP vs. TOTP

Time-based one-time passwords (TOTP) automatically generate a new code every 30 to 60 seconds. The most common example of TOTP is the codes generated by authenticator apps. HOTP, by contrast,  generates a new code only when requested, using a counter rather than a timer. 

This difference affects the security of each OTP method. The quick expiration of TOTP gives attackers a very small window of opportunity. Conversely, HOTP codes could remain valid for days and even weeks.

However, HOTP is more reliable in situations where devices have unreliable clocks. For example,  equipment in remote locations with weak internet connections. 

HOTP vs. SMS and email codes

OTP codes sent via SMS and email are susceptible to interception because they must travel across cellular and internet networks. HOTP generates codes on-device, making it more secure while providing consistent access even during network disruptions.

What are the benefits and limitations of HOTP? 

The benefits of HOTP authentication

There are several advantages to using HOTP as your preferred OTP method:

• Works offline: HOTP can operate offline, making it ideal for locations with restricted internet access.
• No time pressure: HOTP codes don’t automatically expire, so you can take your time to enter the code.
• Recognized algorithm: HOTP is defined by RFC 4226(новое окно), which ensures compatibility across software providers and hardware tokens from various vendors.
• Fewer dependencies: HOTP’s counter-based system doesn’t rely on accurate clocks or continuous connectivity, which can make it more predictable in certain environments.

The limitations of HOTP authentication

As with all technologies, HOTP comes with some important considerations:

• Indefinite validity: HOTP codes can remain active indefinitely if no new codes are generated. This gives attackers more time to exploit stolen codes.
• Counter synchronization: If you generate codes without using them, your device and server counters can fall out of sync, causing authentication failures.
• Manual management: Since codes don’t automatically expire, you must remember to generate new codes after each use.

Take a step towards stronger password security

While HOTP may not offer the security benefit of automatic expiration or the convenience of SMS codes, its counter-based system offers unique advantages. It’s a proven 2FA system with reliable offline access, and the absence of time pressure might make it preferable for some. 
To easily manage your passwords and 2FA codes in one encrypted location, consider using Proton Pass. Our secure password manager with an integrated 2FA authenticator keeps all your credentials and 2FA codes protected with full end-to-end encryption. Keeping your digital life secure and convenient has never been simpler.