HOTP is a counter based one time password. To configure the HOTP authenticator, you can specify the following parameters:
OTP format: The number of digits in the OTP token. The default value is 6 digits. The value must be the same as of the tokens you are using.
OTP window: The size of OTP window defines number of valid OTP for authentication. When the counters are out of sync, this parameter determines the difference between the counter on the token and the server. Based on the difference, the server can recalculate the next OTP value to validate with the OTP received from the token. The server stores the last counter value (C) for which the user has provided a valid password. While verifying a new OTP from the token, the server validates C+1, C+2... until one of the OTP is identical, or till C+w, where w represents the OTP window.
You can use the HOTP token such as Yubikey token to access not only Advanced Authentication, but also some websites or third-party services. After each use or when users press the token button accidentally, the HOTP counter on the token is increased by 1. Therefore, the counter will be out of sync between the token and Advanced Authentication server.
For example, if the OTP window is set to 10 (by default), and the current counter value of the server is 100, then any OTP generated from the token with a counter value from 100 to 110 are valid for authentication.
WARNING:Do not increase the HOTP window value to more than 100 as it may decrease the security by causing false matches.
During enrollment or HOTP counter synchronization in the Self-Service portal, Enrollment HOTP window that has a value of 100,000 is used. This helps in the following:
HOTP tokens can be used for a long period before the enrollment in Advanced Authentication and the value is unknown. Also, the value can be equal to some thousands.
Secure because users must provide three consequent HOTPs.