HOTP vs TOTP: Differences and advantages

OTP stands for "one-time password" and it is frequently used as an additional verification factor in multi-factor authentication systems. But what are HOTPs and TOTPs? Do you want to know the difference between them? Which one is more recommended? Keep reading!

What is an OTP?

A one-time password or OTP is a unique code that is sent to a user, normally to their email or phone. It is usually compounded by 4 to 6 characters that the user has to enter in order to verify their identity.

One-time passwords are frequently used as a complementary authentication factor in multi-factor authentication processes, but it can also be the sole method to authenticate a user.

These authentication codes can be based on events (HOTP) or on time (TOTP).

What is an HOTP?

HOTPs are one-time codes based on events. HOTP stands for "hash-based one-time password", therefore it is based on hash-based message authentication codes.

This kind of OTP consists on the generation of a token that only the user and the server can know. This token is sent to the user and is based on a hash algorithm, hence the name "hash-based one-time passwords".

What is a TOTP?

TOTPs are one-time passwords based on time. TOPT stands form "time-based one-time password". As opposed to the previous type, these OTPs base their functioning on time sequences called timesteps. The duration of a timestep for a TOTP usually lasts between 30 and 180 seconds, but you can personalize this time lapse. Hence, if the user doesn't enter the one-time password in the set amount of time, the code won't be valid anymore.

HOTP vs TOTP: What's the difference?

TOTPs are considered an evolved form of HOTPs— they are the newest technology and imply more security because of having an extra factor to meet the algorithm conditions.

Time-based one-time passwords tend to be more secure, because they're only valid in a certain period of time, which adds a certain layer of security. The fact of adding an extra factor that needs to be met increases the security of the code.

On the other hand, the sending of the one-time codes depends on external factors, such as broadband coverage (for SMS and calls) and internet connection (for email or messaging apps). If the user lacks any of them, the code won't arrive to the user's device and they will be incapable of entering the code and verifying their identity. In this case, the user will need to ask for an extra code.

Even when all the external platforms are working correctly, if the user doesn't enter the OTP quickly, the code won't be valid either.

Regarding this matter, HOTPs can be a friendlier way of verifying users, since they are not limited by the timesteps and can enter the code whenever they want to. Unfortunately, this is a less secure option when compared to time-based OTPs.

Implementing HOTPs or TOPs in your auth systems

Whatever type of one-time code you use, you can be sure that multi-step authentication processes are an efficient way of onboarding users. Using one-time passwords is a way of reinforcing forms based on passwords, verifying the user's phone number or email account. The probabilities of fraud or failure when using one-time passwords in 2FA is positively low.

Plus, implementing OTPs in your process is as easy as adding the proper actions to the flow of your onboarding form. With Arengu, you can do so in minutes and with no coding skills. Want to know how? Take a look at the Guides & Tutorials section and learn how to build multi-factor authentication forms, add email OTPs, SMS OTPs, or even magic links.

Try Arengu for free and start exploring its features, including generating one-time codes and sending them with third-party integrations. You can also set an appointment with our team to see a demo and exploit all of Arengu's potential!