220.127.116.11. HOTP Token¶
The HOTP token is - together with the TOTP - the most common token. The HOTP Algorithm is defined in RFC4225. The HOTP token is an event base token. The HOTP algorithm has some parameter, like if the generated OTP value will be 6 digits or 8 digits or if the SHA1 oder the SHA256 hashing algorithm is used.
18.104.22.168.1. Hardware tokens¶
There are many token vendors out there who are using the official algorithm to build and sell hardware tokens. You can get HOTP based hardware tokens in different form factors, as a normal key fob for your key ring or as a display card for your purse.
22.214.171.124.1.1. Preseeded or Seedable¶
Usually the hardware tokens like keyfobs or display cards contain a secret key that was generated and implanted at the vendors factory. The vendor ships the tokens and a seed file.
In this case privacyIDEA can not guarantee that the secret seed of the token is unique and if you are using a real strong factor.
privacyIDEA also supports the following seedable HOTP tokens:
SafeNet eToken NG OTP
SafeNet eToken Pass
Yubikey in OATH mode (See Yubikey Enrollment Tools on how to enroll Yubikeys in HOTP mode.)
Those tokens can be initialized by privacyIDEA. Thus you can be sure, that only you are in possession of the secret seed.
126.96.36.199.2. Software tokens¶
Besides the hardware tokens there are also software tokens, implemented as Apps for your smartphone. These software tokens allow are seedable, so there is no vendor, knowing the secret seed of your OTP tokens.
But software tokens are software after all on device prone to security issues.
The Google Authenticator can be enrolled easily in HOTP mode using the QR-Code enrollment Feature.
The Google Authenticator is available for iOS, Android and Blackberry devices.
Default settings for HOTP tokens can be configured at HOTP Token Config.
During enrollment you can choose, if the server should generate the key or if you have a key, that you can enter into the enrollment page.
As mentioned earlier, you can also choose the OTP length and the hash algoriothm.
After enrolling the token, the QR-Code, containing the secret seed, is displayed, so that you can scan this with your smartphone and import it to your app.