HMAC-based One-time Password algorithm
HMAC-based One-time Password algorithm (HOTP) is a one-time password (OTP) algorithm based on HMAC (hash-based message authentication code). It is a cornerstone of the Initiative for Open Authentication (OATH).
HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithm has been adopted by many companies worldwide (see below). The HOTP algorithm is a freely available open standard.
The HOTP algorithm provides a method of authentication by symmetric generation of human-readable passwords, or values, each used for only one authentication attempt. The one-time property leads directly from the single use of each counter value.
Parties intending to use HOTP must establish some parameters; typically these are specified by the authenticator, and either accepted or not by the authenticatee:
- A cryptographic hash method, H (default is SHA-1)
- A secret key, K, which is an arbitrary byte string, and must remain private
- A HOTP value length, d (default and minimum is 6, and the recommendation is 6–8)
Both parties compute the HOTP value, then the authenticator checks its locally-generated value against the value supplied by the authenticatee.
The authenticator and authenticatee increment the counter independently of each other, where the latter may increase ahead of the former, thus a resynchronisation protocol is wise. RFC 4426 doesn't actually require any such, but does make a recommendation. This simply has the authenticator repeatedly try verification ahead of their counter through a window of size, s. The authenticator's counter continues forward of the value at which verification succeeds, and requires no actions by the authenticatee.
The recommendation is made that persistent throttling of HOTP value verification take place, to address their relatively small size and thus vulnerability to brute force attacks. It is suggested that verification be locked out after a small number of failed attempts, or that each failed attempt attracts an additional (linearly-increasing) delay.
After verification, the authenticator can authenticate itself simply by generating the next HOTP value, returning it, and then the authenticatee can generate their own HOTP value to verify it. Note that counters are guaranteed to be synchronised at this point in the process.
The HOTP value is the human-readable design output, a d-digit decimal number (without omission of leading 0s):
- HOTP value = HOTP(K, C) mod 10d
That is, the value is the d least significant base-10 digits of HOTP.
HOTP is a truncation of the hashed message authentication code of the counter C (under the key K and hash function, H).
- HOTP(K, C) = truncate(HMACH(K, C))
Truncation first takes the 4 least significant bits of MAC and uses it as an offset, i.
- truncate(MAC) = extract(MAC, MAC[156:159] × 8)
That index i is used to select 31 bits from MAC, starting at bit i + 1.
- extract(MAC, i) = MAC[i + 1:i + (4 × 8) − 1]
Note that 31 bits is a single bit short of a 4-byte word. Thus, the value can be placed inside such a word without using the sign bit (the most significant bit). This is done to definitely avoid doing modular arithmetic on negative numbers, as this has many differing definitions and implementations.
Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms. As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price. Some products can be used for strong passwords as well as OATH HOTP.
Although the reception from some of the computer press has been negative during 2004 and 2005, after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP compatible tokens and/or whole authentication solutions (see above/below).
According to a paper on strong authentication (entitled "Road Map: Replacing Passwords with OTP Authentication") published by Burton Group (a division of Gartner, Inc.) in 2010, "Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time."
- Frank, Hoornaert; David, Naccache; Mihir, Bellare; Ohad, Ranen. "HOTP: An HMAC-Based One-Time Password Algorithm". tools.ietf.org.
- Diodati, Mark (2010). "Road Map: Replacing Passwords with OTP Authentication". Burton Group.
Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time. ... If the organization does not need the extensive platform support, then OATH-based technology is likely a more cost-effective choice.
- "Security Authentication Tokens - Entrust". Entrust. 2011.
Priced at $5 per token, the Entrust IdentityGuard Mini Token demonstrates that secure, reliable hardware authentication can be had at an attractive price. ... OATH and DES/3DES algorithm support
- "Password sCrib Tokens - Smart Crib". Smart Crib. 2013.
You can get a token typing 4 updatable passwords and 8 digit OATH HOTP codes for the price of £35, no strings attached.
- "DS3 Launches OathToken Midlet Application". Data Security Systems Solutions. 2006-02-24. Archived from the original on 29 December 2013.
Singapore, Friday, 24 February 2006 - Data Security Systems Solutions is pleased to announce the launch of OathToken Midlet application, an extension of DS3 flagship product - Authentication Server.
- "Android Token". diamondz... AT googlemail.com (not a full address, no better info on author could be found). 2009.
Android Token is a project to create OATH software tokens for the Android platform. Turning a mobile phone into a One Time Password (OTP) generation device which can be used in the place of hardware tokens. ... The project supports both HOTP (Event Tokens) and TOTP (Time Tokens) specifications. ... Code license: GNU GPL v3
- "StrongAuth". StrongAuth. 2010. Archived from the original on 2010-05-18.
Time-based one-time passcode generator based on HOTP (RFC 4226).
- Cobbs, Archie L. (2010). "OATH Token". Archie L. Cobbs.
OATH Token is a free and open-source software token for two-factor authentication on the iPhone. OATH Token implements the RFC 4226 HOTP/OATH algorithm standard and is not tied to any proprietary server software.
- "ActivIdentity Soft Tokens". ActivIdentity. 2010. Archived from the original on 2010-09-17.
All ActivIdentity Soft Tokens support the Initiative For Open Authentication (OATH) HMAC-Based One-Time Password (HOTP) algorithm. ... ActivIdentity Mobile Soft Tokens are available on leading handset operating systems, including BlackBerry®, Apple® iPhone®, Windows Mobile, and many other Java 2 Platform, Micro Edition (J2ME) enabled devices.
- Whitbeck, Sean (2011). "OTP Generator for N900". Sean Whitbeck.
OTP Generator for Maemo on the Nokia N900. Supports OATH tokens (HOTP,TOTP) as well as the Mobile-OTP algorithm.
- "SecuriToken". Feel Good Software. 2011. Archived from the original on 2012-04-25.
SecuriToken is an RFC compliant application to create and manage multiple software tokens for the OS X platform. Turning your Mac into a One Time Password (OTP) generation device which can be used in the place of hardware tokens.
- Kearns, Dave (2004-12-06). "Digging deeper into OATH doesn't look so good". Network World.
It may be that OATH will amount to something someday, but so far, it appears to be a stalking horse for VeriSign and that's not a bandwagon we should thoughtlessly jump on.
- Willoughby, Mark (2005-03-21). "No agreement on Oath authentication". Computerworld.
- Kaliski, Burt (2005-05-19). "Algorithm agility and OATH". Computerworld.
Nevertheless, there is still good reason to question whether HOTP is suitable as a standard algorithm for OTP generation, and, more generally, whether such a standard algorithm is even necessary at all.