HMAC-Based One-Time Password (HOTP)
What is HMAC-Based One-Time Password (HOTP)?
HMAC-Based One-Time Password (HOTP)An event-based one-time password algorithm defined in RFC 4226 that derives a short code from a shared secret and a monotonically increasing counter.
HOTP is the original IETF OTP standard and the foundation on which TOTP is built. The client and server share a symmetric secret and a counter; each authentication computes HMAC-SHA1 over the counter, truncates the output to a 6-8 digit code, and increments the counter. Because there is no time component, codes remain valid until used or skipped, which makes HOTP suitable for hardware tokens and offline scratch-card style backup codes. The protocol must include a look-ahead window to tolerate accidental button presses that desynchronize the counter. HOTP is largely superseded by TOTP for everyday MFA, but the algorithm still underpins many enterprise hardware tokens.
● Examples
- 01
A YubiKey configured in HOTP mode emitting a new 6-digit code on each button press.
- 02
Paper-based backup codes issued by a corporate VPN portal.
● Frequently asked questions
What is HMAC-Based One-Time Password (HOTP)?
An event-based one-time password algorithm defined in RFC 4226 that derives a short code from a shared secret and a monotonically increasing counter. It belongs to the Identity & Access category of cybersecurity.
What does HMAC-Based One-Time Password (HOTP) mean?
An event-based one-time password algorithm defined in RFC 4226 that derives a short code from a shared secret and a monotonically increasing counter.
How do you defend against HMAC-Based One-Time Password (HOTP)?
Defences for HMAC-Based One-Time Password (HOTP) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HMAC-Based One-Time Password (HOTP)?
Common alternative names include: RFC 4226, Event-based OTP.