HOTP

Authenticator apps like Google Authenticator use 2 authenticaion protocol centered around What you have paradigm. Those algorithms are:

• HOTP (HMAC-based One Time Password), and
• TOTP (Time-based One Time Password).

They obviously are different, but both are centered around the same basic idea: using a rolling hash value, that is predictable only to the server and the authenticator app. Additionally, both are using HMAC-SHA-1 for generating those hash values.

In my previous post I explained the gist of the approach used in both algorithms. Here we’ll focus on the details of implementation of HMAC. We’ll tackle TOTP in part 3.

When you’re accessing services over the WEB – let’s pick GMail as an example – a couple of things have to happen upfront:

1. The server you’re connecting to (GMail in our example) has to get to know who you are.
2. Only after getting to know who you are it’s able to decide what resources you are allowed to access (e.g. your own email inbox, your Calendar, Drive etc.).

Step 1 above is called authentication. Step 2 is authorization (server can authorize only after successful authentication).