When you enable two-factor authentication and scan a QR code with Google Authenticator or Authy, you're setting up an algorithm that generates one-time passwords. But did you know there are actually two different standards for how these codes are generated?
They're called TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password). Understanding the difference helps you choose the right method for your security needs and troubleshoot issues when codes don't work.
What is HOTP?
HOTP stands for HMAC-based One-Time Password. It's defined by the Internet Engineering Task Force (IETF) in RFC 4226, published in 2005. HOTP was the first widely adopted standard for generating one-time passwords.
HOTP generates codes using two inputs:
- A shared secret key (set up during registration)
- A counter that increments with each use
The process works like this: when you request a code, the system calculates an HMAC-SHA1 hash of the secret key combined with the current counter value, then truncates it to a 6-digit number. After you use the code, the counter increments on both your device and the server.
What is TOTP?
TOTP stands for Time-based One-Time Password. It's defined in RFC 6238, published in 2011, and extends the HOTP algorithm by replacing the counter with the current time.
TOTP generates codes using:
- A shared secret key
- The current Unix timestamp, divided into 30-second windows
Instead of a counter, TOTP uses time. The current time is divided by 30 (the time step), and the resulting number is used as the counter input. This means every 30 seconds, the "counter" changes automatically, generating a new code.
Apps like Google Authenticator, Authy, and Microsoft Authenticator all use TOTP. It's also the standard our free 2FA tool uses.
Side-by-Side Comparison
| Feature | TOTP | HOTP |
|---|---|---|
| Full Name | Time-based One-Time Password | HMAC-based One-Time Password |
| RFC Standard | RFC 6238 (2011) | RFC 4226 (2005) |
| Code Generation Factor | Current time (30-second windows) | Incrementing counter |
| Code Validity | 30 seconds (typically) | Until used or counter drifts |
| Clock Sync Required | Yes โ device time must be accurate | No |
| Common Attack Risk | Very low โ short window | Counter drift can cause lockout |
| Typical Usage | Google Authenticator, Authy, web apps | Hardware tokens, some legacy systems |
| Works Offline? | Yes | Yes |
Which is More Secure?
Both TOTP and HOTP provide strong security, but they have different risk profiles:
TOTP Security
TOTP is generally considered more secure for software-based 2FA because codes expire quickly. Even if an attacker intercepts a TOTP code (for example, through a phishing site), they have at most 30 seconds to use it. In practice, the server typically allows a slightly wider window (ยฑ1 step, or 90 seconds) to account for clock drift, but the window is still very narrow.
HOTP Security
HOTP codes remain valid indefinitely until used. This means that if an attacker captures an HOTP code before you use it, they could potentially use it at any time in the future. However, the attack requires capturing the specific code before the legitimate user uses it โ still a high bar.
HOTP also has a counter synchronization challenge: if codes are generated but not used (for example, if you close the app without submitting), the client counter advances but the server counter doesn't. Most systems handle this with a "lookahead window" that accepts the next N codes, but this slightly reduces the uniqueness guarantee.
Why is TOTP the Standard Today?
TOTP has become the dominant standard for app-based 2FA for several reasons:
- Short validity window makes captured codes nearly useless
- No counter synchronization issues between client and server
- Works well with the modern expectation of always-on, synchronized devices
- The 30-second window is short enough for security, but long enough for users to read and type the code
- Universally supported by apps and services
When is HOTP Still Used?
HOTP remains useful in specific scenarios:
- Hardware tokens without clocks: Simple hardware devices that don't have a real-time clock use HOTP since they can't track time
- Offline environments: Situations where time synchronization isn't possible
- Event-based authentication: When you want a code that lasts until a specific action is taken
๐ Generate TOTP Codes for Free
Our free online 2FA tool uses the TOTP algorithm โ the same standard as Google Authenticator.
Open 2FA Generator โ