What is OATH - HOTP (Event)?
HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP (HMAC-based One-time Password) devices require no clock. However, HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).
Programming the YubiKey with an OATH-HOTP credential
How does HOTP work?
HOTP is essentially an event-based one time password. Two inputs are required: the seed from the server and the counter from HOTP. The two sync each time a code is validated and the user gains access.
Learn more about OATH
What’s the difference between HOTP and TOTP?
The biggest difference between HOTP and TOTP is that HOTP passwords can be valid for an unspecified amount of time. TOTP passwords are valid for a short period of time and changes regularly.