BSG utilizes HTTP cookies (and similar or complementary technologies) to 1) make this website safe, functional, and accessible (through the use of mandatory cookies) and 2) understand how you use our website (through the use of optional cookies) in order to improve your experience and to provide you with personalized content.

The information in the cookie text files may be related to your personal preferences or your device and is intended to make the site operate according to your expectations. The information contained in cookies does not usually identify your identity directly but is helpful in providing you with a more personalized user experience.

In accordance with the requirements of the General Data Protection Regulation (GDPR) privacy and security law that governs how the personal data of individuals in the EU may be processed and transferred, we provide you the possibility to prohibit the use of certain types of cookies when you use our website.

Read our Cookie Notice and the Privacy Policy for detailed information on how BGS collects and uses cookies. Please note that prohibiting the use of certain types of cookies may affect your interaction with the website and limit the accessibility of services we offer you. Choose the appropriate category below to learn more and to disable cookies.

Accept All cookies*

*Recommended for comfortable use of the site

Accept only necessary cookies

Accept only selected cookies

Necessary cookies

Social media

Analytics

Marketing

HOTP (HMAC-Based One-Time Password)

What is HOTP?

HOTP (HMAC-Based One-Time Password) is a one-time verification code generated using a shared secret key and an incrementing counter, where each new code is triggered by a successful authentication event rather than a time interval.

How does HOTP work?

HOTP generates codes using HMAC-SHA1 — a hash function that combines a shared secret with a counter value. Every time the user successfully authenticates, the counter increments on both the client device and the server. The next login attempt produces a different code based on the updated counter.

How does HOTP differ from TOTP?

The key difference from TOTP is persistence: an HOTP code does not expire after 30 seconds. It remains valid until the user authenticates again or the server advances the counter. This makes HOTP practical for hardware tokens (like YubiKey in HOTP mode) where users may generate a code and enter it minutes later.

When is HOTP still used?

The downside of HOTP is a wider attack window. A stolen HOTP code can be used at any point before the next legitimate login — unlike TOTP, where the window closes in 30 seconds regardless. For this reason, most modern consumer-facing platforms prefer TOTP or SMS OTP over HOTP. HOTP remains common in enterprise hardware token deployments and legacy systems where time synchronization between server and device is unreliable. The RFC 4226 standard defines the HOTP algorithm.