hotp – WindowsTechs.com

Is TOTP "more secure" and harder to crack than HOTP and why?

Posted on November 2, 2023 by Bob Ortiz

In addition to my question: How many known time/result combinations does it take to guess a HOTP/TOTP secret?.
I’ve read often that TOTP is more secure than HOTP. One example:

TOTP provides higher security due to its time-based nature, re… Continue reading Is TOTP "more secure" and harder to crack than HOTP and why?→

Where does Google Authenticator store its secrets on iOS?

Posted on January 26, 2023 by alx9r

According to this disused repository Google Authenticator implements OATH TOTP (RFC 6238) and OATH HOTP (RFC 4226). Those RFCs each seem to describe a secret that the user’s device on which Authenticator runs must know. In principle the … Continue reading Where does Google Authenticator store its secrets on iOS?→

Does the lack of a secure channel really allow a replay attack to HOTP?

Posted on November 5, 2021 by U. Windl

RFC 4226 on HOTP (7.1 Authentication Protocol Requirements) says

RP3 – P [the protocol] SHOULD be implemented over a secure channel in order to
protect users’ privacy and avoid replay attacks.

But isn’t the basic idea of HOTP (and TOTP) … Continue reading Does the lack of a secure channel really allow a replay attack to HOTP?→

Does TOTP make sense for verification codes?

Posted on May 29, 2021 by yukashima huksay

I know that the concept of TOTP is for when the device on which the code is to be verified is separate from the device that is going to generate the code.
However, I was wondering if it is a bad idea to use the TOTP algorithm for generatin… Continue reading Does TOTP make sense for verification codes?→

Why would a U2F key be more secured than an OTP device?

Posted on April 7, 2021 by Max13

I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc… Which is great for a device like this.
First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing… Continue reading Why would a U2F key be more secured than an OTP device?→

prevent/prohibit duplication of MFA software-token / ensure user identity

Posted on May 22, 2020 by alphachris

As I was unable to find any thread about this particular question, I’m trying to ask the community for help.

We’re currently using RSA RADIUS based 2FA to authenticate external VPN users from companies to let them manage their systems ins… Continue reading prevent/prohibit duplication of MFA software-token / ensure user identity→

One time password: combine time window and counter

Posted on November 12, 2019 by Earthling

I want to generate an OTP, that is valid once in a certain time window in the future. That time window is in the range of minutes to hours. After being used in that window, the OTP may not be used again. I found TOTP and HOTP… Continue reading One time password: combine time window and counter→

How does DUO push button method and other methods actually work?

Posted on February 2, 2019 by Jay

Google authenticator uses HOTP and TOTP algorithm for TFA.
What is the basic working principle of DUO push? What brings security to DUO push?

Continue reading How does DUO push button method and other methods actually work?→

Is using HOTP only authorization considered weak?

Posted on September 30, 2018 by ZioByte

I have seen many experts advising usage of some kind of OTP as second step of 2FA schemes.
I fully understand 2FA is more secure than Single Authorization, but it is also more inconvenient for a casual user.
What about replacing passwords … Continue reading Is using HOTP only authorization considered weak?→

Prevention of devices using same OTP secret

Posted on July 20, 2017 by rcorreia

I have a requirement of OTP applications on mobile devices not sharing the same secret (even if the mobile devices are owned by the same user). A single secret must be present in a single device.

Open source applications tha… Continue reading Prevention of devices using same OTP secret→