Learn about Time-based (TOTP), Counter-based (HOTP), and advanced Challenge-Response authentication protocols
Time-based One-Time Password
How it works:
This code automatically refreshes every 30 seconds based on the current time. The code is synchronized with UTC time and is valid for the current 30-second window.
Counter-based One-Time Password
How it works:
This code doesn't expire automatically. It's generated based on a counter that increments each time you generate a new code. Click "Generate Next Code" to see the counter increase.
Server-generated Challenge Authentication
How it works:
Server generates a unique challenge. Your authenticator combines it with your secret to create a response. Each challenge is single-use and expires in 5 minutes.
Time-based One-Time Password
RFC 6238 Standard
Codes are generated based on the current time (usually 30-second windows). The same code is valid for the entire time window.
Codes automatically expire after 30 seconds and a new code is generated. This provides better security as codes can't be reused after expiration.
Example: When you log into your email with Google Authenticator, the code refreshes every 30 seconds automatically.
HMAC-based One-Time Password
RFC 4226 Standard
Codes are generated based on an incrementing counter value. Each code is tied to a specific counter number.
Codes don't expire automatically. A new code is only generated when you manually request it, which increments the counter. Codes remain valid until used.
Example: When making a bank transfer, you receive a one-time code via SMS. This code is only valid for that specific transaction.
Server-generated Challenge Authentication
Enterprise Security Standard
Server generates unique challenges (random data or transaction details). Each authentication uses a different challenge value.
User's device combines the challenge with a shared secret to generate a unique response. Each challenge produces a different response, even with the same secret.
Example: When authorizing a $10,000 wire transfer, the bank sends challenge "TX-2024-A1B2C3". Your device generates response "847291" specific to this transaction.
| Feature | TOTP | HOTP | Challenge-Response |
|---|---|---|---|
| Base Standard | RFC 6238 | RFC 4226 | Enterprise Custom |
| Code Expiration | 30 seconds | No expiration | 5 minutes |
| Synchronization | Time-based (UTC) | Counter-based | Challenge-based |
| Code Refresh | Automatic | Manual | Server-initiated |
| Replay Protection | Time window validation | Counter increment required | Unique challenge per use |
| Clock Drift Tolerance | ±30 seconds | Not applicable | Not applicable |
| Mobile App Support | Widely supported | Limited support | Enterprise apps |
| Use Case | Login authentication | API/Transaction auth | High-value transactions |
A secret key is shared between the server and your device during initial setup (usually via QR code).
The current time is divided by the time step (30 seconds) to get a time counter.
HMAC-SHA1 algorithm combines the secret key with the time counter to generate a hash.
The hash is processed to extract a 6-digit code that's valid for the current 30-second window.
A secret key is shared between the server and your device, similar to TOTP.
Both sides maintain a synchronized counter that starts at 0 and increments with each code generation.
HMAC-SHA1 algorithm combines the secret key with the current counter value to generate a hash.
The hash is processed to extract a 6-digit code. The counter increments for the next code.
Server generates a unique challenge containing random data or transaction-specific information.
The challenge is sent to the user's authenticator device through a secure channel.
User's device combines the challenge with the shared secret using HMAC to generate a response.
Server performs the same calculation and verifies the response matches the expected value.
All three protocols use industry-standard cryptography to ensure secure authentication
Cryptographically secure hashing algorithms
Encrypted secret key storage
Prevents replay attacks
Codes cannot be reused
TOTP/HOTP work without internet
Follows international standards
Unique challenge per transaction
Challenge includes transaction data
Maximum security for high-value operations
Create your account and start using secure OTP authentication today