One-time password: frequently asked questions

Nick Smith | | 5 minute read
HOTP One-Time Password OTP TOTP

Answers to common questions relating to importing, provisioning and managing OTP hardware tokens in 2FA and MFA environments.

The following questions are answered:

What are OATH tokens?

The terms OATH tokens and OATH-compliant tokens generally refer to one-time password tokens that are compliant with the OTP specifications developed by OATH, the Initiative for Open Authentication. Key OATH specifications include the original HOTP spec (RFC 4226), the subsequent TOTP spec (RFC 6238) and OCRA, the OATH-based Challenge-Response Algorithm (RFC 6287).

Discover our range of OATH tokens here

What is HOTP?

HOTP stands for HMAC-based One-Time Password. It is a type of OTP algorithm where the code changes based on an event, such as the user pressing a button on the token. This increments a counter in the token, which is then used to derive the OTP code.

You can read more technical information about HOTP in our blog post HOTP vs TOTP: What's the Difference?.

What is event-based OTP?

See What is HOTP?

What is RFC 4226?

The specification that describes the HOTP algorithm.

What is TOTP?

TOTP stands for Time-based One-Time Password. TOTP uses the same fundamental algorithm as HOTP except that the counter is replaced by time, meaning that OTP codes naturally change at regular intervals (the timestep) and are only valid for that same duration.

You can read more technical information about TOTP in our blog post HOTP vs TOTP: What's the Difference?.

What is time-based OTP?

See What is TOTP?

What is RFC 6238?

The specification that describes the TOTP algorithm.

What is the TOTP timestep?

In TOTP the timestep is the duration that OTP codes are valid for before a new code is generated. Commonly used timesteps are 30 or 60 seconds.

What are OTP seeds?

The seed is the secret key of an OTP token. This secret value along with the counter (in HOTP) or time (in TOTP) is fed into the OTP algorithm in order to calculate the OTP code. The seed is known only by the token, where it is internal and cannot be extracted, and by the verifying server.

How are OTP seeds delivered?

After you place an order with us we send you the seeds for your batch of tokens via one of several secure delivery methods. We will ask you which delivery method you prefer when you place your first order.

The seeds are provided to you in a seeds file. This file lists each token's serial number and its corresponding seed. The seeds file is either a plain text file listing one token per line with the serial number followed by the seed, or a PSKC file, which is an XML-based format required by some 2FA/MFA platforms.

If you are unsure what format seeds file your system requires then please consult the documentation, which should specify this. If you are still unsure, contact our support team and we will happily assist you.

How do I import OTP tokens into my 2FA/MFA platform?

Importing hardware OTP tokens will require you to upload the seeds file to your 2FA/MFA platform. See How are OTP seeds delivered? for information about the OTP seeds file.

How you import the seeds file will be different for each platform/product. Our tokens can be used with a wide range of different products that support OATH OTP, so we do not offer specific guides for each one.

The documentation for your particular product will explain how to import hardware OTP tokens and is worth reading thoroughly. It is important for IT administrators to understand the process of provisioning (adding) new tokens and managing existing tokens.

If you require help importing tokens purchased from Microcosm then please contact our support team and we will happily assist you.

How are SHA-1/SHA-256 relevant to OTP?

The SHA family of hash functions are used as part of the OTP algorithm to calculate the OTP code from the seed and the counter (HOTP) or time (TOTP). Event-based OTP uses SHA-1 and time-based OTP can use SHA-1 or SHA-256. Systems that support TOTP usually support SHA-1 while support for SHA-256 is less common.

Do I need SHA-1 or SHA-256 TOTP tokens?

This mainly depends on what your particular 2FA/MFA platform supports. The documentation for your particular product will explain what specification of hardware tokens is supported.

View our range of SHA-1 & SHA-256 TOTP tokens

What is OCRA?

OCRA stand for the OATH Challenge-Response Algorithm. It leverages the OTP alogrithm to allow an input challenge to be specified alongside the seed and either a counter or time value depending on how it is configured.

OCRA is commonly used in keypad-style authenticators where the application or website being accessed displays a code (the challenge) for the user to enter into the authenticator device to get another code (the response), which is then entered back into the application.