HMAC-Based One-Time Password (HOTP)

Also known as: RFC 4226, Event-based OTP

An event-based one-time password algorithm defined in RFC 4226 that derives a short code from a shared secret and a monotonically increasing counter.

HOTP is the original IETF OTP standard and the foundation on which TOTP is built. The client and server share a symmetric secret and a counter; each authentication computes HMAC-SHA1 over the counter, truncates the output to a 6-8 digit code, and increments the counter. Because there is no time component, codes remain valid until used or skipped, which makes HOTP suitable for hardware tokens and offline scratch-card style backup codes. The protocol must include a look-ahead window to tolerate accidental button presses that desynchronize the counter. HOTP is largely superseded by TOTP for everyday MFA, but the algorithm still underpins many enterprise hardware tokens.

Examples

A YubiKey configured in HOTP mode emitting a new 6-digit code on each button press.
Paper-based backup codes issued by a corporate VPN portal.

HMAC-Based One-Time Password (HOTP)

Examples

Related terms

One-Time Password (OTP)

Time-Based One-Time Password (TOTP)

Multi-Factor Authentication (MFA)

Two-Factor Authentication (2FA)

HMAC

FIDO2

Definition

Examples

Related terms

One-Time Password (OTP)

Time-Based One-Time Password (TOTP)

Multi-Factor Authentication (MFA)

Two-Factor Authentication (2FA)

HMAC

FIDO2