TOTP vs. HOTP: Key Differences Explained
What They Are
- HOTP (HMAC‑Based One‑Time Password): Generates a one‑time password based on a counter that increases each time a code is requested.
- TOTP (Time‑Based One‑Time Password): Generates a one‑time password based on the current time, usually in 30‑second intervals.
Core Difference
How They Work
HOTP
- Both server and client store a shared secret key.
- A counter increments each time a code is generated.
- The HOTP value = HMAC (secret, counter).
- The server accepts the code if its counter is within a small “window.”
Implication:
If someone obtains an unused HOTP code, it works until someone uses it.
- Also uses a shared secret key, but instead of a counter:
- TOTP = HMAC (secret, current_time_interval).
- The time is divided into slices (typically 30 seconds).
- Codes expire automatically.
Implication:
Even if someone steals a code, it becomes useless within seconds.
Security Considerations
HOTP
✅ Resistant to time drift
❌ Vulnerable because unused codes stay valid
❌ Easy to cause “counter desync” if codes are generated but not used
TOTP
✅ Automatically expires → more secure
✅Most modern services prefer it
❌ Requires accurate system time
Real‑World Examples
HOTP:
- Older RSA hardware tokens
- Some enterprise VPN key fobs
TOTP:
- Google Authenticator
- Microsoft Authenticator
- Authy
- Many cloud MFA systems
Summary
- TOTP is time‑based → more secure, most widely used today.
- HOTP is counter‑based → ideal for offline systems, but less secure due to persistent code validity.
No comments:
Post a Comment