HMAC-based one-time password

Last updated October 04, 2024

HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).

Algorithm

The HOTP algorithm provides a method of authentication by symmetric generation of human-readable passwords, or values, each used for only one authentication attempt. The one-time property leads directly from the single use of each counter value.

Parties intending to use HOTP must establish some parameters; typically these are specified by the authenticator, and either accepted or not by the authenticated:

A cryptographic hash method H (default is SHA-1)
A secret key K, which is an arbitrary byte string and must remain private
A counter C, which counts the number of iterations
A HOTP value length d (6–10, default is 6, and 6–8 is recommended)

Both parties compute the HOTP value derived from the secret key K and the counter C. Then the authenticator checks its locally generated value against the value supplied by the authenticated.

The authenticator and the authenticated increment the counter C independently of each other, where the latter may increase ahead of the former, thus a resynchronisation protocol is wise. RFC 4226 does not actually require any such, but does make a recommendation. This simply has the authenticator repeatedly try verification ahead of their counter through a window of size s. The authenticator's counter continues forward of the value at which verification succeeds and requires no actions by the authenticated.

The recommendation is made that persistent throttling of HOTP value verification take place, to address their relatively small size and thus vulnerability to brute-force attacks. It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional (linearly increasing) delay.

6-digit codes are commonly provided by proprietary hardware tokens from a number of vendors informing the default value of d. Truncation extracts 31 bits or ${\textstyle \log _{10}(2^{31})\approx 9.3}$ decimal digits, meaning that d can be at most 10, with the 10th digit adding less variation, taking values of 0, 1, and 2 (i.e., 0.3 digits).

After verification, the authenticator can authenticate itself simply by generating the next HOTP value, returning it, and then the authenticated can generate their own HOTP value to verify it. Note that counters are guaranteed to be synchronised at this point in the process.

The HOTP value is the human-readable design output, a d-digit decimal number (without omission of leading 0s):

HOTP value = HOTP(K, C) mod 10^d.

That is, the value is the d least significant base-10 digits of HOTP.

HOTP is a truncation of the HMAC of the counter C (under the key K and hash function H):

HOTP(K, C) = truncate(HMAC_H(K, C)),

where the counter C must be used big-endian.

Truncation first takes the 4 least significant bits of the MAC and uses them as a byte offset i:

truncate(MAC) = extract31(MAC, MAC[(19 × 8 + 4):(19 × 8 + 7)]),

where ":" is used to extract bits from a starting bit number up to and including an ending bit number, where these bit numbers are 0-origin. The use of "19" in the above formula relates to the size of the output from the hash function. With the default of SHA-1, the output is 20 bytes , and so the last byte is byte 19 (0-origin).

That index i is used to select 31 bits from MAC, starting at bit i × 8 + 1:

extract31(MAC, i) = MAC[(i × 8 + 1):(i × 8 + 4 × 8 − 1)].

31 bits are a single bit short of a 4-byte word. Thus the value can be placed inside such a word without using the sign bit (the most significant bit). This is done to definitely avoid doing modular arithmetic on negative numbers, as this has many differing definitions and implementations.^[1]

Tokens

Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms.^[2] As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price.^[3] Some products can be used for strong passwords as well as OATH HOTP.^[4]

Software tokens are available for (nearly) all major mobile/smartphone platforms (J2ME,^[5] Android,^[6] iPhone,^[7] BlackBerry,^[8] Maemo,^[9] macOS,^[10] and Windows Mobile ^[8]).

Reception

Although the early reception from some of the computer press was negative during 2004 and 2005,^[11]^[12]^[13] after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP-compatible tokens and/or whole authentication solutions.

According to the article "Road Map: Replacing Passwords with OTP Authentication"^[2] on strong authentication, published by Burton Group (a division of Gartner, Inc.) in 2010, "Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time."

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications authentication algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message. An HMAC is a type of keyed hash function that can also be used in a key derivation scheme or a key stretching scheme.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

In cryptography, PBKDF1 and PBKDF2 are key derivation functions with a sliding computational cost, used to reduce vulnerability to brute-force attacks.

In cryptography, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as part of SMTP Authentication and for the authentication of POP and IMAP users, as well as in applications implementing LDAP, XMPP, BEEP, and other protocols.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system, which is governed by Group Policy settings, for which different versions of Windows have different default settings.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) using the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by submission servers, where authentication is mandatory.

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like LDAP, HTTP, SMTP, POP3, IMAP and JMAP (e-mail), XMPP (chat), or MongoDB and PostgreSQL (databases). For XMPP, supporting it is mandatory.

JSON Web Token is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key.

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.

References

↑ Frank, Hoornaert; David, Naccache; Mihir, Bellare; Ohad, Ranen (December 2005). "HOTP: An HMAC-Based One-Time Password Algorithm". tools.ietf.org. doi:10.17487/RFC4226.
1 2 Diodati, Mark (2010). "Road Map: Replacing Passwords with OTP Authentication". Burton Group. Archived from the original on 2011-07-21. Retrieved 2011-02-10.
↑ "Security Authentication Tokens — Entrust". Entrust. 2011. Archived from the original on 2013-04-05. Retrieved 2010-03-05.
↑ "Password sCrib Tokens — Smart Crib". Smart Crib. 2013. Archived from the original on 2013-03-20.
↑ "DS3 Launches OathToken Midlet Application". Data Security Systems Solutions. 2006-02-24. Archived from the original on 29 December 2013.
↑ "StrongAuth". 2010. Archived from the original on 2010-05-18.
↑ Cobbs, Archie L. (2010). "OATH Token". Archie L. Cobbs.
1 2 "ActivIdentity Soft Tokens". ActivIdentity. 2010. Archived from the original on 2010-09-17.
↑ Whitbeck, Sean (2011). "OTP Generator for N900". Sean Whitbeck.
↑ "SecuriToken". Feel Good Software. 2011. Archived from the original on 2012-04-25.
↑ Kearns, Dave (2004-12-06). "Digging deeper into OATH doesn't look so good". Network World.
↑ Willoughby, Mark (2005-03-21). "No agreement on Oath authentication". Computerworld. Archived from the original on 2012-10-11. Retrieved 2010-10-07.
↑ Kaliski, Burt (2005-05-19). "Algorithm agility and OATH". Computerworld. Archived from the original on 2012-10-11. Retrieved 2010-10-07.

External links

RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm
RFC 6238: TOTP: Time-Based One-Time Password Algorithm
RFC 6287: OCRA: OATH Challenge-Response Algorithm
Initiative For Open Authentication
Implementation of RFC 4226 - HOPT Algorithm Step by step Python implementation in a Jupyter Notebook

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Frank, Hoornaert; David, Naccache; Mihir, Bellare; Ohad, Ranen (December 2005). "HOTP: An HMAC-Based One-Time Password Algorithm". tools.ietf.org. doi:10.17487/RFC4226.

[gartnerotprm-2] 1 2 Diodati, Mark (2010). "Road Map: Replacing Passwords with OTP Authentication". Burton Group. Archived from the original on 2011-07-21. Retrieved 2011-02-10.

[3] "Security Authentication Tokens — Entrust". Entrust. 2011. Archived from the original on 2013-04-05. Retrieved 2010-03-05.

[4] "Password sCrib Tokens — Smart Crib". Smart Crib. 2013. Archived from the original on 2013-03-20.

[5] "DS3 Launches OathToken Midlet Application". Data Security Systems Solutions. 2006-02-24. Archived from the original on 29 December 2013.

[6] "StrongAuth". 2010. Archived from the original on 2010-05-18.

[7] Cobbs, Archie L. (2010). "OATH Token". Archie L. Cobbs.

[actividentityst-8] 1 2 "ActivIdentity Soft Tokens". ActivIdentity. 2010. Archived from the original on 2010-09-17.

[9] Whitbeck, Sean (2011). "OTP Generator for N900". Sean Whitbeck.

[10] "SecuriToken". Feel Good Software. 2011. Archived from the original on 2012-04-25.

[11] Kearns, Dave (2004-12-06). "Digging deeper into OATH doesn't look so good". Network World.

[12] Willoughby, Mark (2005-03-21). "No agreement on Oath authentication". Computerworld. Archived from the original on 2012-10-11. Retrieved 2010-10-07.

[13] Kaliski, Burt (2005-05-19). "Algorithm agility and OATH". Computerworld. Archived from the original on 2012-10-11. Retrieved 2010-10-07.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]