HOTP algorithm, or HMAC based one-time password algorithm, was first published by OATH as RFC 4226 back in 2005. What is OATH? OATH or Initiative for Open AuTHentication is an organization which specified, put together and published the OATH OTP algorithms that lie at the heart of MFA (multi-factor authentication). It is time we look closely at these algorithms, specifically — OATH-HOTP. HOTP algorithm is what allows creating one-time passwords by utilizing a secret key and a counter. Today we will look at how OTP works, what role HMAC algorithm plays in it and look at both what is HOTP and TOTP. A table of contents for your convenience: What does OTP meanWhat is HMACWhat is hashWhat is MACSo what is HMACWhat is HOTPHOTP synchronization problemHOTP security problemHOTP vs TOTPProtectimus tokens with HOTP algorithm What does OTP mean First, let’s discuss the OTP meaning. One time or one-time password is usually a string of randomly generated digits that works for one login or transaction only. These dynamic passwords, unlike the static ones, are hard to bypass or hack, since the hacker will need access to both something you have (OTP generating device, like cellphone or hardware token) and something you know (like pin code). OTPs are the best protection against such common hacks as phishing, bruteforce, keyboard logging, man-in-the-middle attacks. Here’s an OTP password example: What is HMAC What is hash Hash is the mathematical algorithm used by HMAC-based one-time passwords. Simply put — it is a math function that turns one value into another, or condenses data to a specific size. Here’s an example. If this passage was run through a hashing algorithm: the result, known as a hash value (SHA-1, hex), would be this: 2faff97be86cbbf921b8e5b9e1c74b82af080016 At the same time, if we change the slightest detail in the source text, for example, remove quotation marks, the hash value will be completely different: D0f8e2703fb647ce0504f6222c04f473f9f88a94 No matter what the volume of the source information is, be it a Moby-Dick or just a phone number, its hash value is always a string of symbols of a predetermined size. Comparing a hash and the hash value is far easier for a computer than comparing original files. So the hash value from the example would be a convenient tool for a computer to compare, identify or run calculations against data and files. Hashing is used for a variety of purposes, among them is compression, cryptography, data indexing, checksum generation. Also, it’s impossible to decode the source information from the hash, what differs hashing from encryption. Thus, it is an especially good fit for cybersecurity purposes. | Read also: Identification, authentication, and authorization – what’s the difference What is MAC Message Authentication Code, or MAC, is a crypto checksum for data transferred through insecure channels. With MAC applied the receiving party can verify the authenticity of the message simply by establishing that the sender has the secret key. In case the sender does not have the correct seed, the MAC value would be wrong and the recipient would know the message was not sent from the legitimate sender. First of all, the sender and the recipient share a secret key (also called a seed) and agree to use the same MAC generation algorithm. Before sending the message, the sender generates the Message Authentication Code passing the message (Message) with the shared secret (Key) through the MAC generation algorithm. Then they send the message and the received MAC to the recipient. When the recipient gets the message, they also generate the Message Authentication Code in their turn, passing the message they just received (Message) and the shared secret (Key) through the same the MAC generation...