Behind the 6-Digit Code: Building HOTP and TOTP from Scratch For many applications and websites that require an extra layer of security, one-time passwords (OTPs) serve as a crucial barrier. Two widely used OTP technologies are HMAC-Based One-Time Password (HOTP) and Time-Based One-Time Password (TOTP). This article will guide you through the process of building these technologies from scratch, enhancing the security of user authentication mechanisms. HOTP is a password scheme based on HMAC (Hash-Based Message Authentication Code). It generates OTPs using a secret key and a counter. Each time a user needs to log in, the counter increments by one, resulting in a new OTP. If you've ever received a fixed, one-time verification code that changes for each use, HOTP is likely the underlying technology. TOTP, on the other hand, advances OTP generation by incorporating time synchronization. It combines the user's secret key with the current time to generate a new password every 30 seconds. This method is particularly useful for applications that require frequent logins, such as banking and email services. The building blocks for both HOTP and TOTP are similar, but the key difference lies in how the OTPs are generated and validated. The first step is to generate a secret key, which must be securely stored on both the server and the user's device. This key is often shared with the user via a QR code, which the user scans to set up the authentication. Once the secret key is in place, both the server and the client use the same algorithm to compute the OTP. For HOTP, the counter plays a critical role. The server and the client must maintain the same counter value to ensure the OTPs match. To account for slight discrepancies, servers often allow a small range of counter values, preventing authentication failures due to network delays. In the case of TOTP, time synchronization is crucial. Both the user's device and the server must have their clocks aligned to generate the same OTP. Servers typically accept OTPs that are a few seconds off to improve reliability. During implementation, additional security measures should be considered. These include limiting the number of times an OTP can be used and setting an expiration time. Moreover, if there are multiple failed validation attempts, the account should be temporarily locked to prevent brute-force attacks. These safeguards significantly enhance the overall security of the system. In summary, both HOTP and TOTP offer effective protection for user accounts. While their implementation may pose some technical challenges, the growing involvement of developers and security experts is making these technologies more accessible and robust. For developers aiming to bolster the security of their applications, building HOTP and TOTP from scratch is a worthwhile endeavor.