HOTP

One-time passwords (OTPs) are short-lived authentication codes used to verify a user or transaction and help prevent account takeover and replay attacks by being valid for only a single use or a narrow time window[1][4]. This article explains the cryptographic foundations, standardized algorithms (HOTP and TOTP), delivery methods, security tradeoffs, implementation considerations, and best practices—plus links to authoritative resources you can consult for implementation details and standards[3][4][9]. Table of contents Introduction OTP fundamentals: what an OTP is and why it helps Core algorithms: HOTP and TOTP (how they work step-by-step) Other OTP flavors and delivery channels Security considerations and common attacks Implementation guidance and developer checklist User experience and operational concerns Further reading and authoritative resources Conclusion OTP fundamentals: what an OTP is and why it helps Definition: An OTP is a code generated for a single authentication event or a short time window; once used or expired it cannot be reused[1][3]. Purpose: OTPs add a possession factor to authentication—something the user has (device, phone, token)—complementing something they know (password) and reducing the impact of leaked static passwords[1][3]. Typical properties: short numeric or alphanumeric codes (commonly 6 digits), cryptographically derived from a shared secret plus a moving factor (counter or time), and validated server-side without storing reusable credentials[3][4]. Core algorithms: HOTP and TOTP Both HOTP and TOTP are standardized, widely used, and form the basis of most OTP systems. ...