We support hardware keys that generate a token (not biometric based), or a One-Time Password (OTP). Or more precisely, hardware keys that are either TOTP or HOTP based.

What is OTP?

OTP or One-Time Password is often used in combination with a regular user account and password as an additional security layer for authentication.

An OTP can be retrieved by a mobile (smartphone) application, such as the Evo Secure Login app. A user can also retrieve an OTP from a hardware key, or key fob.

SHA-1 is just one industry standard algorithm that is used to generate an OTP. No matter which algorithm is used, they all require two inputs to generate an OTP code (1) a seed, (2) a moving factor.

The seed is a static value, or secret key, that gets created when you establish a new account with an authentication server. Although the seed doesn’t change, as it is tied to your user. The moving factor will change each time a new OTP is requested. 

What is TOTP?

TOTP or Time-Based One-Time Password, uses a seed that is static, and as you’d expect from the name the moving factor for a TOTP is time-based. 

The amount of time a TOTP is valid is based on the timestep, which is commonly 30 seconds long. If the password is not used within the time window, a new password must be requested.

What is HOTP?

HOTP or Hash-based Message Authentication Code (HMAC)-based One-Time Password is an event-based OTP.

Each time a HOTP code is requested, and validated the moving factor is incremented based on a counter. The code generated for HOTP is valid until a new code is requested and has been validated by the server.

Based on this, the hardware key generator and server are synced each time a code is requested and validated.