• What is OATH – HOTP (Event)?

    HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP (HMAC-based One-time Password) devices require no clock. However, HOTP is susceptible to losing counter sync. That is, if the user generates an OTP without authenticating with it, the device counter will no longer match the server counter. This can be mitigated on the server by testing several subsequent counter values. This can not happen with Yubico OTP since its counter is encrypted (as opposed to hashed).
    Back to Glossary

    How does HOTP work?

    HOTP is essentially an event-based one time password. Two inputs are required: the seed from the server and the counter from HOTP. The two sync each time a code is validated and the user gains access.

    Learn more about HOTP

    What’s the difference between HOTP and TOTP?

    The biggest difference between HOTP and TOTP is that HOTP passwords can be valid for an unspecified amount of time. TOTP passwords are valid for a short period of time and changes regularly.

    Learn more about TOTP

    What are the drawbacks of HOTP?

    Synchronization due to the counter in HOTP. If the button gets clicked one too many times the token will be useless and login will fail.

    Read More

    More vulnerability to brute force attacks and breaches caused by guessing the OTP, since the codes never expire.

    Read More

    No expiration for generated one time passwords. TOTP passwords have an edge up as their passcodes are only available for a specific amount of time.

    Read More

    How to: Programming the YubiKey with an OATH-HOTP credential

    Get Started

    YubiKey 5 series
    Find the right YubiKey

    Take the quick Product Finder Quiz to find the right key for you or your business.

    Let’s start
    Get protected today

    Browse our online store today and buy the right YubiKey for you.

    Shop now