Back to Blog
By 2fas Plus Team

TOTP vs HOTP: What's the Difference?

Two algorithms, one goal. A quick tour of how time-based and counter-based one-time passwords actually work.

TOTP (Time-based One-Time Password) derives its code from the current Unix time, sliced into 30-second windows. Both your device and the server compute the same HMAC — no round-trip, no shared secret in flight after the initial enrollment.

HOTP (HMAC-based One-Time Password) uses a monotonically increasing counter instead of time. The server advances its counter every time it accepts a code. This is why some hardware tokens can drift out of sync — the counters diverge.

In practice, TOTP is the modern default for web logins. HOTP still shows up on legacy tokens and specific banking flows. 2fas Plus supports both because your secrets don't get to pick where they came from.