HOTP

This post is the the second in a three-part series. The remaining two:

• How does Google Authenticator work? (Part 1)
• How does Google Authenticator work? (Part 3)

Authenticator apps like Google Authenticator use 2 authenticaion protocol centered around What you have paradigm. Those algorithms are:

• HOTP (HMAC-based One Time Password), and
• TOTP (Time-based One Time Password).

They obviously are different, but both are centered around the same basic idea: using a rolling hash value, that is predictable only to the server and the authenticator app. Additionally, both are using HMAC-SHA-1 for generating those hash values.

This post is the first in a three-part series. The remaining two:

• How does Google Authenticator work? (Part 2)
• How does Google Authenticator work? (Part 3)

When you’re accessing services over the WEB – let’s pick GMail as an example – a couple of things have to happen upfront:

1. The server you’re connecting to (GMail in our example) has to get to know who you are.
2. Only after getting to know who you are it’s able to decide what resources you are allowed to access (e.g. your own email inbox, your Calendar, Drive etc.).

Step 1 above is called authentication. Step 2 is authorization (server can authorize only after successful authentication).