A shared secret and a moving value
One time password algorithms combine a shared secret, set up once when you scan a QR code, with a changing input. An HMAC over both produces a code, and truncation turns it into a short numeric value.
- HOTP uses a counter that increments each time a code is generated.
- TOTP uses the current time, divided into fixed windows, usually thirty seconds.
Because both sides hold the secret and agree on the moving value, they compute the same code without ever transmitting the secret.
Drift and windows
TOTP depends on synchronized clocks. To tolerate small drift, the server accepts codes from the adjacent time windows, not just the exact one. HOTP instead risks counter desynchronization if a generated code is never used, so servers check a small look ahead window of counter values.
Why interception still hurts
These codes are short lived but not phishing proof. A user can be tricked into typing a valid code into a fake site before it expires. This is why origin bound methods like passkeys are stronger.
Key idea
TOTP and HOTP derive short codes from a shared secret plus a moving counter or time window, letting both sides agree without sending the secret.