Authn.tech
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
  • MFA / OTP

    • MFA and One-Time Password Overview
    • HOTP / TOTP Algorithm Deep Dive
    • otpauth URI and Parameter Reference

MFA and One-Time Password Overview

Multi-Factor Authentication (MFA) provides defense-in-depth when passwords are compromised by requiring users to provide two or more mutually independent authentication factors to prove identity. This chapter focuses on the most common second factor in engineering practice—One-Time Password (OTP)—with emphasis on the HOTP and TOTP algorithms.

What is MFA

The core weakness of single-password authentication is that passwords are static and reproducible credentials. Once compromised via password databases, phishing, data breaches, or keyloggers, attackers can replay them indefinitely. MFA's approach is to layer authentication factors from different "categories," forcing attackers to compromise multiple independent channels simultaneously.

Three Categories of Authentication Factors

Authentication factors are traditionally divided into three categories. MFA requires factors from different categories to constitute true "multi-factor" (two passwords do not constitute MFA):

CategoryEnglishMeaningTypical Examples
Knowledgesomething you knowSecrets memorized by the userPassword, PIN, security questions
Possessionsomething you haveDevice or object owned by the userTOTP authenticator app, hardware token, phone (SMS/push), FIDO security key
Inherencesomething you areBiometric trait of the userFingerprint, face, iris, voiceprint

Tips

"Knowledge + Possession" is the most mainstream MFA combination: password (knowledge) + TOTP authenticator app (possession). The OTP discussed in this chapter belongs to the "possession" category—it proves the user possesses the device that stores the shared secret.

What Problem Does OTP Solve

One-Time Password (OTP) is a dynamic passcode that can only be used once and quickly expires. Compared to static passwords, its value lies in:

  1. Replay resistance: Each OTP is valid for only a very short window (TOTP typically 30 seconds), so even if intercepted, the attacker's window for reuse is minimal.
  2. Unpredictability: OTP is generated by a cryptographic algorithm based on a shared secret, making it impossible for attackers to predict the next OTP from historical ones.
  3. Offline generation: Computed from the local shared secret without network round-trips, not dependent on SMS channels (SMS OTP has SIM hijacking and other risks).

OTP has two standard algorithms, both defined by the IETF and sharing the same dynamic truncation core:

  • HOTP (HMAC-based One-Time Password, RFC 4226): Based on an incrementing counter.
  • TOTP (Time-based One-Time Password, RFC 6238): Based on current time, a time-based variant of HOTP.

Relationship and Differences Between HOTP and TOTP

TOTP is not an independent algorithm but rather HOTP with the "counter" replaced by "time step." Their relationship can be summarized as:

TOTP(K) = HOTP(K, T), where T = floor((current Unix time - T0) / period)

In other words, HOTP is the foundation, and TOTP is a modification where the moving factor changes from "counter" to "time slice number."

DimensionHOTP (RFC 4226)TOTP (RFC 6238)
Moving factorEvent counterTime step T
When it changesCounter increments by 1 on each generationAutomatically changes at each time step (default 30 seconds)
Server-side stateMust persist and sync counterOnly needs to store the key, no counter needed
Desynchronization riskClient and server counters may drift, requires look-ahead windowOnly affected by clock offset
Validity periodValid until the next useValid only in current time step (+ tolerance window)
Typical use caseHardware token key generation, offline scenariosAuthenticator app, vast majority of online MFA

Warning

HOTP counter synchronization is an engineering challenge: users may accidentally advance the token counter, and the server must set a "look-ahead window." TOTP replaces the counter with time, naturally avoiding this issue, which is why almost all online services use TOTP.

TOTP's Position in Practice

TOTP is the most widely deployed software second factor:

  • Authenticator apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password, FreeOTP, etc. all implement TOTP via QR code import of the shared secret.
  • Login integration: In enterprise login flows using OIDC (OpenID Connect) / SAML, TOTP commonly serves as a second verification step after passwords (step-up / second factor), triggered by the IdP (Identity Provider) after the first factor.
  • Standardization and interoperability: Because both the algorithm and the otpauth:// URI have public standards, any authenticator app and any server can interoperate without vendor lock-in.

Comparison with WebAuthn

TOTP is simple to deploy and offers familiar UX, but it has a fundamental limitation: it is not phishing-resistant. TOTP codes have no binding to the domain being accessed, so users will enter the 6-digit code seen on a phishing site as-is, and attackers can relay it in real-time (real-time phishing / MITM). WebAuthn / FIDO2 uses public-key cryptography and binds credentials to the origin domain, preventing phishing at the protocol level.

FeatureTOTPWebAuthn / Passkey
Phishing resistanceNo (codes can be relayed)Yes (credentials bound to origin)
Shared secretYes (server also stores key; compromise enables cloning)No (private key never leaves device)
Breach resilienceWeakStrong (server only stores public key)
User actionManually enter 6-digit codeBiometric/PIN one-touch
Deployment costLowMedium (requires browser/platform support)
Offline usabilityYesVaries by authenticator

Tips

Think of TOTP as a "middle layer—stronger than passwords, weaker than WebAuthn." For high-security requirements, prioritize WebAuthn adoption (see ../webauthn/); TOTP is suitable as a baseline second factor with broad coverage, or as a fallback when WebAuthn is unavailable.

Applicable Scenarios

  • Recommended for TOTP: Public-facing SaaS needing a zero-hardware-cost, cross-platform second factor; enterprises rolling out MFA to existing accounts; fallback for WebAuthn.
  • Recommended for HOTP: Distributing dedicated hardware tokens, offline devices without stable clocks.
  • Caution/not recommended: Using SMS OTP alone as the sole second factor for high-value accounts (SIM hijacking, SS7 attack risks); scenarios with hard requirements for phishing resistance should use WebAuthn.

Navigation for This Chapter

  • HOTP / TOTP Algorithm Deep Dive — Shared secrets, HMAC dynamic truncation, TOTP time steps, verification windows, and complete JS example.
  • otpauth URI and Parameter Reference — otpauth:// URI format, parameter defaults, QR code conventions, authenticator compatibility, and troubleshooting reference.

Related chapters: OAuth 2.0 · WebAuthn

Last updated: 7/6/26, 7:49 AM
Contributors: linux, Claude Opus 4.8
Next
HOTP / TOTP Algorithm Deep Dive