HOTPGenerate()
Generates a counter-based One-Time Password (HOTP).
Unlike TOTP which uses the current time, HOTP uses a counter that you increment after each use. Returns a 6-digit code by default.
Requires Extension: Crypto Extension
HOTPGenerate( secret=string, counter=numeric, options=struct );
Returns: String
| Argument | Description |
|---|---|
|
secret
string,
required
|
edit
Base32-encoded secret |
|
counter
numeric,
required
|
edit
Counter value |
|
options
struct,
optional
|
edit
Optional struct: digits (default 6), algorithm (SHA1|SHA256|SHA512, default SHA1) |
Usage Notes
editHOTP uses a counter rather than time. Your application is responsible for storing and incrementing the counter after each successful verification. If you don't need counter-based OTP specifically, prefer TOTP (TOTPVerify()) which handles the counter automatically using the current time.
The secret must be a Base32-encoded string. Use TOTPSecret() to generate one.
Examples
edit// HOTP generates a one-time password based on a counter value (RFC 4226)
// Unlike TOTP which uses time, HOTP uses a counter that increments with each use
secret = TOTPSecret(); // Base32-encoded shared secret
// Generate a 6-digit code for counter value 0
code = HOTPGenerate( secret, 0 );
// e.g. "755224" - always the same for the same secret and counter
// HOTP is deterministic - same secret + counter always gives the same code
code1 = HOTPGenerate( secret, 42 );
code2 = HOTPGenerate( secret, 42 );
// code1 == code2
// Different counters produce different codes
codeA = HOTPGenerate( secret, 0 );
codeB = HOTPGenerate( secret, 1 );
// codeA != codeB
// Options: change digit count or algorithm
code = HOTPGenerate( secret, 0, { digits: 8 } ); // 8-digit code
code = HOTPGenerate( secret, 0, { algorithm: "SHA256" } );
code = HOTPGenerate( secret, 0, { algorithm: "SHA512" } );
See also
- Cryptography
- HOTPVerify()
- TOTPSecret()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)