OATH OTP Algorithms in simple English

Every once in a while you have a hard time fully understanding a technology and it is often because there is a missing piece of information. That is what happened to me around One Time Passwords (OTP). Luckily, I can reach out to a good community at Quest to fill in the blanks. My question was around the security of OTP, specifically event-based tokens vs time-based tokens. At the time of asking the question, I did not call it event-based. The reply I got gave me a better understand of OATH tokens. Figured this might help someone else.

OATH offers standards for the following principal algorithms:

HOTP - Event-based (aka counter-based) OTP generation - basically the user has to press a button to generate a response. The response is a function of the current counter value. The window used for validating the response can be enlarged in the event that they drift outside a certain tolerance.

1. Advantage: ease of use
2. Possible disadvantage: OTP can remain valid for an extended period
3. Disadvantage: Server and device counters need to be in step

OCRA - Challenge/response OTP generation: Server presents user with a challenge, which the user must type into the device to get a response. The user responds, and the challenge and response are sent to the server where they are checked.

1. Advantage: No problems with server/device synchronicity
2. Disadvantage: Useability

TOTP - Time based algorithm - the response is a function of the current system clock.

1. Advantage: Very easy to use
2. Disadvantage: Server and device clocks need to be synchronized

When I read it again, it looks so obvious but it was nice to get a brief description of this in non RFC English. If you interested in an OATH OTP solution check out Quest Defender