6 min read
Curious about the difference between OTP, HOTP and TOTP? We dive into what each type of one-time password means and which could be best for your use case.

OTP vs HOTP vs TOTP - What they mean

Link to this section

OTPs, HOTPs and TOTPs are designed to keep sensitive information secure by making it harder for hackers to gain access to protected information.

What is an OTP?

Link to this section

A one-time password (OTP) is a password you can only use once. OTPs are sometimes used in standalone form - known as passwordless authentication. OTPs are also used to complement standard password use - by adding a layer of verification.

Whenever the user tries to access a system or perform a transaction on an authenticated device, a one-time password can verify their identity and authorize the action.

OTPs in action

Link to this section

OTPs offer an almost effortless experience. Take the example of a customer trying to access their online banking account from their smartphone.

The customer tries to access their account and is then notified that the bank doesn’t recognize their device. In order to protect the user’s information the bank offers to send a one-time code as an SMS, phone call, push notification, or email.

After selecting a delivery option, the customer receives an OTP and provides it alongside their banking ID and password. After all the information is entered the customer is able to access their account.

Once used, the OTP becomes invalid. This increases security and makes it a lot harder for hackers to access sensitive information.

What are the benefits of an OTP?

Link to this section

Less chance of identity theft

Link to this section

A user’s identity can’t be stolen when hackers can’t access the accounts in the first place: OTPs are virtually impossible to guess.

Fewer forgotten password requests

Link to this section

Let resetting forgotten passwords become a thing of the past. It’s only human to forget your password, so why not retire the traditional forgotten password options for good?

Easy integration and scalability

Link to this section

Organizations can easily build OTPs into their apps and products and level up their security.

Improved user experience

Link to this section

Effortless sign-up and sign-in processes will win business and retain it for the long term.

Now we’ve covered what OTPs are, it’s time to cover the other ways they can be used. These unique one-time authentication codes will either be based on events (HOTP) or based on time (TOTP).

Hash-based one-time passwords (HOTP) are generated using a cryptographic hash function. It verifies a user’s identity by requiring them to enter a unique code in addition to their password.

At the very heart of the HOTP is a secret key. This key, sometimes known as “the seed”, is a value that the OTP token and the server exchange only once during the initialization of the token. The secret key is then stored by the token and the server and never shared again.

HOTPs depends on two pieces of information:

  • Secret key or seed: This is only known by the user’s token and the server that validates submitted OTP codes.
  • Moving factor: The moving factor in an event-based OTP is the counter (which counts the number of OTPs generated). The counter is stored in the token, on the server. The counter on the token is generated when the button is pressed, while the counter on the server is incremented only when an OTP is successfully validated.

HOTPs are generated by combining a secret key or seed with a counter and using a one-way cryptographic hash function to produce 160-bit code, which is then shortened to a six or eight-digit OTP.

The advantages of HOTP

Link to this section
  • HOTP is more user-friendly: it doesn’t expire, which provides flexibility. The user can enter the code whenever they want.
  • Event-based: HOTP uses an event-based OTP algorithm with the moving factor being the event counter which is a time value. Considering the OTP algorithm provides values that are short-lived based on time-based factors, this could be a big plus for those who are looking for enhanced security.

The disadvantages of HOTP

Link to this section
  • Valid for longer periods of time: HOTP could become vulnerable to cyberattacks as the code is valid for a longer period of time. This could give the hacker a longer window to access sensitive data.
  • HOTP may encounter synchronization issues: The event counter in HOTP could allow the potential for desynchronization between the server and the OTP token. For example, if the button on the token is pressed too many times, the value won’t align between the code and the server. To combat this issue the server would need to accept previous and subsequent codes leaving a window of risk open to hackers.

Time-based one-time passwords (TOTPs) are one-time passwords based on time. As opposed to a HOTP, these one-time passwords constantly refresh based on an assigned period of time.

The duration of a lapse for TOTP usually lasts between 30-180 seconds, with the time-lapse able to be personalized. If the user doesn’t enter the OTP in the allocated amount of time the password becomes invalid, and a new one is issued.

The advantages of TOTP

Link to this section
  • Can be used as a soft token: A TOTP authenticator can be embedded in hardware tokens as well as in implemented in software like Google Authenticator.
  • Easy to implement: TOTP is easy to implement with most authentication apps that generate TOTP tokens being free or charging an affordable fee so that organizations of any size can secure the user’s security with this identification method.

The disadvantages of TOTP

Link to this section
  • Can be stolen: Though unlikely, it is still possible for a real-time phishing attack to occur. For example, a hacker could impersonate the system requesting the code. A user could enter a real code into a fake system, giving the attacker the opportunity to use that code to access sensitive data.
  • TOTP uses a seed/shared secret: It’s not best practice to use shared secrets/seeds. Shared secrets are likely stored in plaintext format, on a provider’s server. This leaves a large security factor in the hands of the service provider. If a hacker gains access to the database, cyber attackers could populate the codes without the end-user ever finding out.
  • TOTP depends on a device: TOTP users are tied to a device whether it be a smartphone or hardware token. If anything happens to the device, whether it’s stolen or lost the service provider must reissue the TOTP authenticator.

See how Kinde compares to other authentication providers.

Get started now

Boost security, drive conversion and save money — in just a few minutes.