The HOTP algorithm provides a method of authentication by symmetric generation of human-readable passwords, or
values, each used for only one authentication attempt. The one-time property leads directly from the single use of each counter value. Parties intending to use HOTP must establish some ; typically these are specified by the authenticator, and either accepted or not by the authenticated entity: • A
cryptographic hash method
H (default is
SHA-1) • A
secret key K, which is an arbitrary byte string and must remain private • A
counter C, which counts the number of iterations • A HOTP value length
d (6–10, default is 6, and 6–8 is recommended) Both parties compute the HOTP value derived from the secret key
K and the counter
C. Then the authenticator checks its locally generated value against the value supplied by the authenticated. The authenticator and the authenticated entity increment the counter
C independently. Since the authenticated entity may increment the counter more than the authenticator, recommends a resynchronization protocol. It proposes that the authenticator repeatedly try verification ahead of their counter through a window of size
s. The authenticator's counter continues forward of the value at which verification succeeds, and requires no actions by the authenticated entity. To protect against brute-force attacks targeting the small size of HOTP values, the RFC also recommends implementing persistent throttling of HOTP verification. This can be achieved by either locking out verification after a small number of failed attempts, or by linearly increasing the delay after each failed attempt. 6-digit codes are commonly provided by proprietary hardware tokens from a number of vendors informing the default value of
d. Truncation extracts 31
bits or \log_{10}(2^{31}) \approx 9.3 decimal digits, meaning that
d can be at most 10, with the 10th digit adding less variation, taking values of 0, 1, and 2 (i.e., 0.3 digits). After verification, the authenticator can authenticate itself simply by generating the next HOTP value, returning it, and then the authenticated can generate their own HOTP value to verify it. Note that counters are guaranteed to be synchronised at this point in the process. The
HOTP value is the human-readable design output, a
d-digit decimal number (without omission of leading 0s): :
HOTP value =
HOTP(
K,
C) mod 10
d. That is, the value is the
d least significant base-10 digits of HOTP.
HOTP is a truncation of the
HMAC of the counter
C (under the key
K and hash function
H): :
HOTP(
K,
C) = truncate(HMAC(
K,
C)), where the counter
C must be used
big-endian. Truncation first takes the 4 least significant bits of the
MAC and uses them as a byte offset
i: : truncate(
MAC) = extract31(
MAC,
MAC[(19 × 8 + 4):(19 × 8 + 7)]), where ":" is used to extract bits from a starting bit number up to and including an ending bit number, where these bit numbers are 0-origin. The use of "19" in the above formula relates to the size of the output from the hash function. With the default of SHA-1, the output is , and so the last byte is byte 19 (0-origin). That index
i is used to select 31 bits from
MAC, starting at bit
i × 8 + 1: : extract31(
MAC,
i) =
MAC[(
i × 8 + 1):(
i × 8 + 4 × 8 − 1)]. 31 bits are a single bit short of a 4-byte word. Thus the value can be placed inside such a word without using the sign bit (the most significant bit). This is done to definitely avoid doing modular arithmetic on negative numbers, as this has many differing definitions and implementations. == Tokens ==