Multi-Factor Authentication

• Authentication that requires more than one factor to verify identity.
• Combines password (something you know) + second factor (something you have).

HOTP (HMAC-Based One-Time Password)

One-Time Password generated using a secret key + counter, based on HMAC:

1. Server and user share a secret key K
2. Each time a code is requested:
   • Increment counter C (event based)
   • Compute: HOTP = Truncate(HMAC_SHA1(K, C))
   • Returns a 6–8 digit code
   • Example: 123456
3. User enters code during login
4. Server verifies code using same secret + counter

// so server also need to track counter

TOTP (Time-Based One-Time Password)

HOTP variant, where counter = current time / step, usually 30 seconds.