2FAApp Local-first security tools
Use tools

Clarify one-time password standards and why this site focuses on TOTP.

TOTP vs HOTP

Compare time-based and counter-based one-time passwords and why most authenticator app setups use TOTP.

HOTP uses a counter; TOTP uses time.
TOTP is easier for consumer logins because both sides already have a shared clock.
HOTP can still be useful in some systems, but it needs counter resynchronization when devices drift.

How HOTP works

HOTP increments a counter each time a code is used. That makes it useful for some event-based systems, but the server and client must stay in step or they need a resync process.

How TOTP differs

TOTP replaces the counter with a time step. That makes it easier for human login flows because the code changes on a predictable schedule instead of after every event.

Why most apps default to TOTP

TOTP fits the common website login model better, works offline, and is simple for users to understand. HOTP remains part of the standards family, but TOTP is the dominant consumer pattern.

Action items

  • Use TOTP for normal consumer logins unless a platform specifically asks for HOTP.
  • If you see an HOTP system, look for resynchronization instructions.
  • Do not assume every authenticator app entry uses the same algorithm or period.

Cautions

  • Counter drift and time drift are different problems.
  • The presence of a 6-digit code does not tell you whether the system is HOTP or TOTP.

Related pages

TOTP Generator Generate and test time-based 2FA codes in your browser without sending secrets to the server. What Is TOTP? Learn how time-based one-time passwords use a shared secret and clock window to generate changing 2FA codes.

Related questions

Can an online 2FA generator replace my authenticator app? No for normal account protection. A browser generator can help with test secrets or debugging, but real account secrets should live in a trusted authenticator or hardware-backed setup.