About one-time passwords
One-time passwords (also called verification codes) are composed of a number of digits. They are calculated from these parameters:
- A shared secret key that only your account provider and you know.
- Configuration values that are specific to your account provider.
- A consecutive counter.
When you use a one-time password to authenticate yourself, your account provider expects a password that is calculated from a certain counter value. Because Authenticator uses the same rules as your account provider to determine the current counter value, the provider will accept your one-time password.
Authenticator supports time-based and counter-based one-time passwords. These types differ in the way the current counter value is determined:
- Time-based one-time passwords (TOTP, according to RFC 6238): The counter value is incremented continuously based on the current time. The next value in the series of verification codes is generated when a defined time period has elapsed.
- Counter-based one-time passwords (HOTP, according to RFC 4226): The counter value is incremented on demand. The next value in the series of verification codes is generated when you request it.