Cybersecurity 101back-iconWhat is HMAC-based OTP (HOTP)?

What is HMAC-based OTP (HOTP)?

HMAC OTP, commonly called HOTP, is a one-time password algorithm that generates login codes using a shared secret key, an HMAC function, and a counter. Unlike time-based OTPs, HOTP codes change when the counter advances, usually after a user requests or uses a code.

HOTP is defined in RFC 4226 and is widely used in hardware tokens, authenticator systems, and identity workflows where a server and user device need to produce matching one-time codes without sending the secret over the network.

How HMAC OTP works

HOTP starts with two values: a secret key known to both the authentication server and the user’s token, and a counter value that increases over time. The token applies HMAC, typically HMAC-SHA-1 in the original standard, to the counter using the secret key. The result is shortened into a numeric OTP, often 6 or 8 digits.

When the user enters the code, the server performs the same calculation and checks whether the submitted OTP matches an expected counter value. To allow for missed button presses or unused generated codes, servers usually accept a small counter window.

HOTP vs TOTP

Factor HOTP TOTP
Moving value Counter Current time interval
Code expiry Valid until used or counter moves beyond the accepted window Valid only for a short time period
Common use Hardware tokens and event-based authentication Authenticator apps and time-based MFA

The main difference is synchronization. HOTP needs counter synchronization, while TOTP needs accurate time synchronization. Both reduce the risk of password-only access, but neither protects fully against phishing if users can be tricked into entering live codes on a fake site.

Why HOTP matters in access control

HOTP supports multi-factor authentication by adding something the user has, such as a token or enrolled device, to something the user knows, such as a password. This makes stolen passwords less useful on their own.

For enterprise identity and access control, HOTP can help secure admin portals, remote access, privileged actions, and device enrollment workflows. Platforms such as Hexnode can fit into this broader access strategy by helping organizations manage endpoints, enforce security policies, and reduce exposure from unmanaged or non-compliant devices.

Key security considerations

HOTP security depends heavily on protecting the shared secret, limiting retry attempts, and using secure enrollment. If the secret key is exposed, an attacker may generate valid codes.

Organizations should also apply account lockout rules, rate limiting, audit logs, and phishing-resistant authentication for high-risk users where possible. HOTP is useful, but it works best as part of layered identity security rather than as the only control.

FAQs

Yes. HMAC OTP usually refers to HOTP, the event-based one-time password algorithm that uses HMAC and a counter to generate authentication codes.

The token can generate HOTP codes without an internet connection, but the server must still validate the submitted code against the user’s stored secret and counter state.