Growth & Marketing

October 25, 2020

September 2, 2020

HOTP vs TOTP: Differences and advantages

Table of contents

Protecting users’ identity online has become one of the most important challenges in the online world. In order to protect users’ from password theft and account takeovers, multi-factor authentication with one-time passwords is heavily used.

OTP stands for "one-time password" and it is frequently used as an additional verification factor in multi-factor authentication systems. You probably used them as a user, but when it comes to implementing them in your own verification system, what kind of OTP is more suitable? 

In general terms, two different types of OTPs can be distinguishedHOTPs and TOTPs. But what are HOTPs and TOTPs? Do you want to know the difference between them? Which one is more recommended? 

What is an OTP?

A one-time password or OTP is a unique code that is sent to a user, normally to their email or phone. It is usually compounded by 4 to 6 characters that the user has to enter in order to verify their identity. Unlike passwords, users can only use one-time codes once. This makes OTPs a pretty secure system to recover accounts or add an extra layer of security to them. In the unlikely event that a third user would take over the user’s device and hack the one-time code, this can only be used once.

One-time passwords are frequently used as a complementary authentication factor in multi-factor authentication processes, but it can also be the sole method to authenticate a user.

These authentication codes can be based on events (HOTP) or on time (TOTP). 

What is an HOTP?

HOTPs are one-time codes based on events. HOTP stands for "hash-based one-time password", therefore it is based on hash-based message authentication codes. The generation of this type of code is based on a counter, that is activated and incremented with each event. 

This kind of OTP consists of the generation of a token that only the user and the server can know. This token is sent to the user and is based on a hash algorithm, hence the name "hash-based one-time passwords".

HOTPs aren’t usually based on time, instead they are valid until the following code is requested by the user.

What is a TOTP?

TOTPs are one-time passwords based on time. TOPT stands for "time-based one-time password". 

As opposed to the previous type, these OTPs base their functioning on time sequences called timesteps. The duration of a timestep for a TOTP usually lasts between 30 and 180 seconds, but you can personalize this time lapse. Hence, if the user doesn't enter the one-time password in the set amount of time, the code won't be valid anymore.

HOTP vs TOTP: What's the difference?

The moving factor is the main difference between these two types of OTPs. Both have a moving factor that changes them. With TOTPs the moving factor is their limitation in time, while with HOTPs the moving factor is the counter that is activated with each event — a following code request.

HOTP and TOTP: differences

Which one is better? Advantages of each OTP

Time-based one-time passwords tend to be more secure, because they're only valid in a certain period of time, which adds a certain layer of security. The fact of adding an extra factor that needs to be met increases the security of the code. TOTPs are considered an evolved form of HOTPs— they imply more security because of having an extra factor to meet the algorithm conditions.

Hash-based one-time passwords can be more user friendly. Since they are not limited by the timesteps and can enter the code whenever they want to. 

Dependant on external factors. In both cases, the sending of the one-time codes depends on external factors, such as broadband coverage (for SMS and calls) and internet connection (for email or messaging apps). If the user lacks any of them, the code won't arrive on the user's device and they will be incapable of entering the code and verifying their identity. In this case, the user will need to ask for an extra code.

Implementing HOTPs or TOPs in your auth systems

Whatever type of one-time code you use, you can be sure that multi-step authentication processes are an efficient way of onboarding users. Using one-time passwords is a way of reinforcing forms based on passwords, verifying the user's phone number or email account. The probabilities of fraud or failure when using one-time passwords in 2FA is positively low.

Plus, implementing OTPs in your process is as easy as adding the proper actions to the flow of your onboarding form. With Arengu, you can do so in minutes and with no coding skills. Want to know how? Take a look at the Guides & Tutorials section and learn how to build multi-factor authentication forms, add email OTPs, SMS OTPs, or even magic links.

Try Arengu for free and start exploring its features, including generating one-time codes and sending them with third-party integrations. You can also set an appointment with our team to see a demo and exploit all of Arengu's potential!

You might like to read

Subscribe to our newsletter

Subscribe to our email newsletter to receive article notifications and regular product updates.