Techly NewsGet the app

Get the latest tech news

Behind the 6-digit code: Building HOTP and TOTP from scratch


A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify

You’ve likely encountered them when using a “Secure Login” app like Google Authenticator, or during a “Forgot Password” flow where a temporary code is sent to your email or phone. There are many online resources with TOTP and HOTPs, however I have struggled to find a website that help me check my implementation as their secret-key representations were not standardized. To recap: We’ve looked at how HOTP and TOTP work, explored how they're derived from HMAC, and saw how the server and client can generate matching codes without ever transmitting the password itself.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Scratch

Scratch

Photo of TOTP

TOTP

Photo of Building HOTP

Building HOTP

Related news:

News photo

Implementing DeepSeek R1's GRPO algorithm from scratch

News photo

We Designed TigerBeetle's Docs from Scratch

News photo

Baking the Y Combinator from Scratch

« Climate Crisis Has Tripled Length of Deadly Ocean Heatwaves, Study Finds
Taiwan Bidders Are Said to Be Circling AMD’s ZT Server Assets »