About one-time passwords

One-time passwords (also called verification codes) are composed of a number of digits. They are calculated from these parameters:

  • A shared secret key that only your account provider and you know.
  • Configuration values that are specific to your account provider.
  • A consecutive counter.

When you use a one-time password to authenticate yourself, your account provider expects a password that is calculated from a certain counter value. Because Authenticator uses the same rules as your account provider to determine the current counter value, the provider will accept your one-time password.

Authenticator supports time-based and counter-based one-time passwords. These types differ in the way the current counter value is determined:

  • Time-based one-time passwords (TOTP, according to RFC 6238): The counter value is incremented continuously based on the current time. The next value in the series of verification codes is generated when a defined time period has elapsed.
  • Counter-based one-time passwords (HOTP, according to RFC 4226): The counter value is incremented on demand. The next value in the series of verification codes is generated when you request it.