HMAC-based One-time Password (HOTP) is an algorithm for generating one-time password values defined in RFC 4226.
Questions tagged [hotp]
15 questions
7
votes
2 answers
How many known time/result combinations does it take to guess a HOTP/TOTP secret?
I thought about "recovering", "determining", "guessing", "calculating" or "reproducing" the HOTP/TOTP secrets when only the outcome (6-digit code + time) is known.
In case we can view the live creation of HOTP/TOTP codes without knowing the actual…
Bob Ortiz
- 6,234
- 8
- 43
- 90
5
votes
1 answer
Does TOTP make sense for verification codes?
I know that the concept of TOTP is for when the device on which the code is to be verified is separate from the device that is going to generate the code.
However, I was wondering if it is a bad idea to use the TOTP algorithm for generating the…
yukashima huksay
- 207
- 1
- 5
4
votes
3 answers
What security considerations should I make when choosing a TOTP app?
One company now requires that I either use Authy or Google Authenticator. Supposedly these are safer than getting a text message, but I'm still seeing people complain about how dangerous these are. For instance, this article says that both Authy…
StopSigningMeOut
- 43
- 3
4
votes
1 answer
TOTP / HOTP - Offline 1 hour password generator
I need to generate and valid a password / token for an hour.
Client -> generate password (valid for one hour)
Server -> valid it within an hour.
//System needs to work offline (TOTP)
TOTP is normaly 30 seconds... So if i change the TOTP interval to…
Stweet
- 143
- 2
3
votes
0 answers
One time password: combine time window and counter
I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP on this topic. You can…
earthling
- 151
- 3
2
votes
3 answers
Why would a U2F key be more secured than an OTP device?
I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc... Which is great for a device like this.
First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the…
Max13
- 195
- 8
2
votes
3 answers
Is using the 2FA secret on the same machine as using the credentials, removing one factor of 2FA?
In other words: Is saving or using the two-factor authentication (2FA) secret on the same machine to generate one-time passwords (OTP), breaking the two-factor authentication (2FA) concept since it's all done on one machine.
KeePass has some plugins…
Bob Ortiz
- 6,234
- 8
- 43
- 90
1
vote
1 answer
Does the lack of a secure channel really allow a replay attack to HOTP?
RFC 4226 on HOTP (7.1 Authentication Protocol Requirements) says
RP3 - P [the protocol] SHOULD be implemented over a secure channel in order to
protect users' privacy and avoid replay attacks.
But isn't the basic idea of HOTP (and TOTP) not to…
U. Windl
- 137
- 7
1
vote
3 answers
prevent/prohibit duplication of MFA software-token / ensure user identity
As I was unable to find any thread about this particular question, I'm trying to ask the community for help.
We're currently using RSA RADIUS based 2FA to authenticate external VPN users from companies to let them manage their systems inside our…
alphachris
- 19
- 4
1
vote
0 answers
How exactly do Fido Keys work?
Recently I acquired a security Fido key that allows me to use the U2F protocol on some of my accounts. Now I know that these keys use public/private keys for the specified account but I'm stuck on the logic of one part. How does the Fido Key know…
NerdOfCode
- 133
- 3
1
vote
3 answers
Prevention of devices using same OTP secret
I have a requirement of OTP applications on mobile devices not sharing the same secret (even if the mobile devices are owned by the same user). A single secret must be present in a single device.
Open source applications that implement OTP (like…
rcorreia
- 155
- 5
1
vote
2 answers
How should the counter value for HOTPs be stored?
RFC4226 describes the HOTP algorithm to "based on an increasing counter value and a static symmetric key known only to the token and the validation service", specifically:
HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
How would one go about storing the…
monotonous
- 23
- 3
0
votes
0 answers
Combine HOTP and TOTP
I want to build a custom OTP implementation that utilizes the HOTP/TOTP algorithm.
I need to create several codes (one time passwords), which are all valid for the same time window in the future (e.g. five hours), but each code can only be used…
earthling
- 151
- 3
0
votes
1 answer
How does DUO push button method and other methods actually work?
Google authenticator uses HOTP and TOTP algorithm for TFA.
What is the basic working principle of DUO push? What brings security to DUO push?
Jay
- 3
- 2
0
votes
1 answer
Is using HOTP only authorization considered weak?
I have seen many experts advising usage of some kind of OTP as second step of 2FA schemes.
I fully understand 2FA is more secure than Single Authorization, but it is also more inconvenient for a casual user.
What about replacing passwords with HOTP…
ZioByte
- 217
- 1
- 7