Which OTP (one-time password) algorithm do banks use on their password generator token? [closed]

Question

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 8 years ago.

Many banks offer some token devices in order to create passwords for one time usage. I wonder which OTP algorithm they use? Is it HOTP or TOTP?

Answer 1

As aiodintsov said, the answer cannot be generalized but the choice of technology really depends upon the bank. My guess is TOTP. But let me give a reason on the choice.

TOTP removes the need for client and server to stay in sync on the event counter by using a Unix timestamp instead. The algorithm allows the server to choose how far off an incoming timestamp it deems acceptable, in order to correct for clock drift.

When you receive an OTP from a bank, it will usually say that you should use that OTP within certain timelimit after which it will expire. If the banks use HOTP, the OTPs neednot expire after a time interval rather it will expire only after you place another request, incrementing the counter.

So, next time you receive a OTP which does not ask you to use it within a timelimit, be sure it is generated using HOTP.

Answer 2

They may use whatever they want, any hash function of their choice. Both HOTP and TOTP are used. see RFC 4226 and RFC 6238. I once had a test card with HOTP algorithm in complete accordance with RFC 4226 and could use it for authentication solution (the secret key was provided for the card).