What Does Hotp Mean

HOTP and also TOTP are the two primary requirements for One-Time Password yet what carry out they intend from a defense perspective, and also why would you choose one over the other?


In both HOTP and also TOTP the token (ie, the OTP generator) generates a numeric code, generally 6 or 8 digits. The protection of OTP is based upon truth that the codes are constantly changing and that they are single-use, hence the name.

You watching: What does hotp mean

View our variety of OTP cards and tokens

HOTP: Event-based One-Time Password

Event-based OTP (likewise called HOTP interpretation HMAC-based One-Time Password) is the original One-Time Password algorithm and also counts on two pieces of indevelopment. The initially is the trick essential, dubbed the "seed", which is well-known only by the token and also the server that validays submitted OTP codes. The second piece of information is the moving element which, in event-based OTP, is a respond to. The counter is stored in the token and also on the server. The respond to in the token increments once the button on the token is pressed, while the counter on the server is incremented only once an OTP is efficiently validated.

To calculate an OTP the token feeds the respond to right into the HMAC algorithm making use of the token seed as the key. HOTP provides the SHA-1 hash feature in the HMAC. This produces a 160-little bit worth which is then diminished down to the 6 (or 8) decimal digits shown by the token.

TOTP: Time-based One-Time Password

Time-based OTP (TOTP for short), is based upon HOTP yet wright here the moving element is time instead of the respond to. TOTP uses time in increments referred to as the timestep, which is commonly 30 or 60 secs. This indicates that each OTP is valid for the duration of the timestep.


Both OTP schemes market single-use codes but the vital distinction is that in HOTP a offered OTP is valid until it is supplied, or till a subsequent OTP is supplied. In HOTP tbelow are a number of valid "following OTP" codes. This is bereason the button on the token have the right to be pressed, thus incrementing the respond to on the token, without the resulting OTP being submitted to the validating server. For this factor, HOTP validating servers accept a selection of OTPs. Specifically, they will accept an OTP that is created by a respond to that is within a set number of increments from the previous respond to worth stored on the server. This is variety is described as the validation home window. If the token counter is external of the selection permitted by the server, the validation stops working and also the token must be re-synchronised.

See more: Cpa Specializing In Nonprofit Near Me, Cpa Services

So plainly in HOTP there is a trade-off to make. The bigger the validation window the much less likely the chance of needing to re-sync the token via the server, which is inconvenient for the user. Importantly though, the bigger the window the greater the possibility of an evil one guessing among the accepted OTPs through a brute-pressure strike.

In contrast, in TOTP there is just one valid OTP at any provided time - the one generated from the present UNIX time.


Choosing between HOTP and TOTP purely from a protection perspective plainly favours TOTP. Importantly, the validating server need to have the ability to cope with potential for time-drift through TOTP tokens in order to minimise any type of affect on users.

There is also more choice of form-aspect through TOTP tokens. Classic vital fob OTP tokens are obtaining smaller and rcfereform.org has currently presented the OTP Card - a credit card sized OTP token with EPD display screen. Cards have the right to be a more convenient choice as they have the right to be stored through other cards in a wallet or purse, or in the back of a mobile phone instance.

Discover our OTP range here

The HOTP and TOTP standards are developed by OATH, the Initiative for Open Authentication. All rcfereform.org OTP tokens are OATH-compliant.