OTP

OTP is often treated as “a better SMS code” or “the 6-digit number in an authenticator app.” Once you start implementing server-side verification, handling drift, debugging reuse, and migrating tokens, it becomes clear that the hard part is not the six digits. The hard part is how the client and server stay in the same state without sending the secret directly.

HOTP and TOTP both solve the same basic problem: the server and the token share one secret, but every login must produce a proof that is short-lived and ideally usable only once. The difference is where synchronization lives. HOTP uses an event counter. TOTP uses time.