Generating Alphanumeric OTP using HOTP


I understand that HOTP can be used to create numerical One Time Passwords. The algorithm behind being:

K be a secret key
C be a counter
HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) with ⊕ as XOR, ∥ as concatenation, (C is the message)

Truncate be a function that selects 4 bytes from the result of the HMAC in a defined manner.

Then HOTP(K,C) is mathematically defined by:

HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF

I have used the following example implementation for my tests and it works fine:

My question is that is it possible to generate an alphanumeric OTP using HOTP instead of numeric. The advantage obviously being that the strength of OTP increases manyfold for a given length. So a 8 digit alphanumeric code is far stringer than an eight-digit numeric code.

asked on Stack Overflow Aug 17, 2016 by user1826116 • edited Jul 25, 2018 by halfer

2 Answers


Of course, you can do whatever you want after the HMAC(K,C). You can map it to HEX or to alphanumeric.

But then you would also have to create your own OTP token - either a hardware token or a smartphone app. This is the great thing about standards, that you do not have to create your own! ;-)

answered on Stack Overflow Aug 17, 2016 by cornelinux

Alphanumeric has a tricky base, base 62. If you allow two more characters then you can just use base 64 (replacing the + and / with any value you prefer).

Otherwise, just look up a Base N encoding library, such as this one for Java (didn't try it, cannot comment on correctness or performance).

This won't influence the security as there is a 1:1 relation between the generated HOTP bits and the given representation. In other words, the different base representation and alphabet are just a different view on the same bit values.

answered on Stack Overflow Aug 20, 2016 by Maarten Bodewes • edited May 23, 2017 by Community

User contributions licensed under CC BY-SA 3.0