One-time Password Algorithms – CompTIA Security+ SY0-401: 5.2


A useful security authentication technique is the use of one-time passwords. In this video, you’ll learn how one-time passwords are implemented and the differences between the HOTP and TOTP algorithms.

<< Previous Video: Multi-factor AuthenticationNext: CHAP and PAP >>


If you’ve ever authenticated to a resource using multiple forms or factors of authentication then you’ve probably used a username, a password, and probably some type of one-time password. In this video we’ll look at a couple of different ways to provide this one-time password functionality.

One-time passwords are passwords that we use a single time, and we never use them ever again. These passwords may be useful for a single session, or they may really be used every time we want to authenticate. And then, whether we get the authentication correct or incorrect, we’re never going to use that one-time password again.

One common way of providing this one-time password is through something called HOTP. The stands for HMAC-based One-Time Password algorithm. And it uses a keyed-hash message authentication code, or an HMAC. This message authentication code is something that’s going to pop up on the screen. And it’s all based on a secret key and a counter that is in place. And this message that pops up is the one that we’re going to use as our one-time password.

We commonly see this used on token-based authentication, where you’re carrying around different kinds of tokens. I have a token here, and that one-time password would pop up on my token generator. And that’s what I would use to be able to authenticate. Every time you try to authenticate, every time you push the button on that token authenticator, it’s going to give you a different hash every time.

There are both the hardware and software tokens that you can get to do this. So you’re going to need some type of additional technology to make this work, either something physical that people can take along with them, or you’ll need to install software on mobile devices that people carry with them.

TOTP stands for Time-based One-Time Password. In a time-based one-time password you’re going to get a certain password based on whatever time of the day it happens to be. This is a little bit different than the HOTP we were just talking about, where you got a password based on a counter. Every time you use that password the counter would then increment. In the case of TOTP, it just depends on what time of day it happens to be. And that’s what’s going to synchronize these passwords together on both your side and on the resource.

For time-based passwords, obviously, time synchronization is very important. So you’ll need to define a secret key and then time stamp and have everything synchronized via standard protocol such as Network Time Protocol. These timestamps usually increment every 30 seconds or so, although this value can be changed by the administrator. So you would put in your username and your password, and you would put in whatever the latest 30 second code happened to be.

And if you didn’t get that right you may have to restart the process. And if 30 seconds of gone by you may have to input a different password because the time of the day is now different. This is a very common way to provide one-time passwords. If you’re using a separate one-time password generator for Google, for Facebook, or for Microsoft then you’re probably using TOTP.