One-Time Password (OTP) algorithms, such as those used in the OATH (Open Authentication) framework, provide a dynamic and time-sensitive method for generating passwords.
These OTP algorithms are widely used for two-factor authentication (2FA) and other security mechanisms that require dynamic, time-sensitive passwords. The choice of algorithm depends on factors like security requirements, usability, and compatibility with the authentication system.
Three common OTP algorithms within OATH are:
| Algorithm | Description |
|---|---|
| HOTP (HMAC-Based One-Time Password) | HOTP generates OTPs based on a secret key (K) and a counter value (C). The OTP is calculated by applying HMAC (Hash-based Message Authentication Code) to the counter and key. The counter is typically incremented with each authentication attempt. Both the client and server need to maintain the same counter and secret key. |
| TOTP (Time-Based One-Time Password) | TOTP is similar to HOTP but instead uses a timestamp as a counter. The OTP is calculated as a function of the current time and a shared secret key (K). The time is usually divided into time intervals (e.g., 30 seconds), and the OTP changes every interval. The server and client must be synchronized in terms of time. |
| OCRA (Challenge-Response Algorithm) | OCRA is a flexible OTP algorithm that incorporates challenge-response mechanisms. It combines elements like PINs, question challenges, and timestamps with a shared secret key (K) to generate OTPs. The server sends a challenge to the client, which combines it with the secret key and other parameters to create a response that becomes the OTP. This adds an additional layer of security. |