What is OATH – HOTP (Event)?
HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP (HMAC-based One-time Password) devices require no clock. However, HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).
How does HOTP work?
HOTP is essentially an event-based one time password. Two inputs are required: the seed from the server and the counter from HOTP. The two sync each time a code is validated and the user gains access.
What’s the difference between HOTP and TOTP?
The biggest difference between HOTP and TOTP is that HOTP passwords can be valid for an unspecified amount of time. TOTP passwords are valid for a short period of time and changes regularly.
What are the drawbacks of HOTP?
Synchronization due to the counter in HOTP. If the button gets clicked one too many times the token will be useless and login will fail.
More vulnerability to brute force attacks and breaches caused by guessing the OTP, since the codes never expire.
No expiration for generated one time passwords. TOTP passwords have an edge up as their passcodes are only available for a specific amount of time.