Login confirmation with a HMAC-based one-time password (HOTP)#

Any hardware key fob compatible with the RFC4226 “HOTP: An HMAC-Based One-Time Password Algorithm” standard can be used to verify the second factor of authentication using the One-Time Secret-based Password (HOTP) authentication method.

To use HOTP, you must:

  • configure and enable this authentication method;

  • upload a HOTP device description file to Blitz Identity Provider. The description file is provided by the HOTP device provider. To upload the description file, use the ”Devices” menu section in Blitz Identity Provider admin console;

  • bind the HOTP device to the user account and issue the HOTP device to the user. Binding can be done in two ways - either the administrator binds the device by serial number to the user account in the Management Console under the “Users” menu, or the user binds the device to his/her account by himself/herself using the “My Account” web application.


To configure the “One-time secret-based password (HOTP)” authentication method, you must set:

  • maximum allowable deviation during code verification - the number of subsequent codes (for example, if the user accidentally pressed the button to generate a new password and did not use it during the authentication process) at which the authentication will be successful. If the user enters the correct code, Blitz Identity Provider will automatically resynchronize with the device;

  • reject for synchronization - if the user repeatedly presses the code generation button on the device and does not use the code to confirm the login, the device will cease to be synchronized with the server. In this case, the next time the user logs into Blitz Identity Provider, he or she will be prompted on the login page to go through the device reconciliation procedure. To do this, the user will enter three confirmation codes sequentially generated by the device. Blitz Identity Provider will then check whether the code sequence entered by the user is encountered according to the “Reject for synchronization” setting and will resynchronize with the device if successful;

  • total number of attempts - number of attempts to enter the confirmation code, after which this confirmation method will be blocked;

  • blocking time when attempts are exceeded (in minutes).