All Projects → BastiaanJansen → otp-java

BastiaanJansen / otp-java

Licence: MIT license
A small and easy-to-use one-time password generator library for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).

Programming Languages

68154 projects - #9 most used programming language

Projects that are alternatives of or similar to otp-java

CrOTP - One Time Passwords for Crystal
Stars: ✭ 62 (-42.06%)
Mutual labels:  otp, totp, hotp, two-factor-authentication, 2fa
🔑 A small library for generating TOTP and HOTP one-time passwords on iOS.
Stars: ✭ 243 (+127.1%)
Mutual labels:  otp, totp, hotp, two-factor-authentication, 2fa
A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes
Stars: ✭ 664 (+520.56%)
Mutual labels:  otp, totp, hotp, two-factor-authentication, 2fa
Open source two-factor authentication for Android
Stars: ✭ 3,326 (+3008.41%)
Mutual labels:  otp, totp, hotp, two-factor-authentication
apache 2fa
Apache two-factor (2FA) authentication with Google Authenticator based on Time-based One-Time Password (TOTP) or HMAC-based one-time password (HOTP) Algorithms.
Stars: ✭ 63 (-41.12%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
Java Otp
A one-time password (HOTP/TOTP) library for Java
Stars: ✭ 265 (+147.66%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
A .NET implementation of TOTP and HOTP for things like two-factor authentication codes.
Stars: ✭ 424 (+296.26%)
Mutual labels:  otp, totp, two-factor-authentication, 2fa
One Time
One Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.
Stars: ✭ 129 (+20.56%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
A free, secure and open source app for Android to manage your 2-step verification tokens.
Stars: ✭ 2,692 (+2415.89%)
Mutual labels:  otp, totp, hotp, 2fa
Twofactor totp
🔑 Second factor TOTP (RFC 6238) provider for Nextcloud
Stars: ✭ 203 (+89.72%)
Mutual labels:  otp, totp, two-factor-authentication, 2fa
HMAC-based (HOTP) and Time-based (TOTP) One-Time Password manager. Works with Google Authenticator for Two-Factor Authentication.
Stars: ✭ 79 (-26.17%)
Mutual labels:  otp, totp, hotp, two-factor-authentication
Enhanced fork of FreeOTP-Android providing a feature-rich 2FA authenticator
Stars: ✭ 223 (+108.41%)
Mutual labels:  otp, totp, hotp, 2fa
One Time Password (HOTP/TOTP) library for Node.js, Deno and browsers.
Stars: ✭ 135 (+26.17%)
Mutual labels:  otp, totp, hotp, two-factor-authentication
📱 Two-Factor Authentication (2FA) client for Android + Wear OS
Stars: ✭ 155 (+44.86%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
One Time Password for 2-Factor-Authentication implemented in Rust
Stars: ✭ 21 (-80.37%)
Mutual labels:  otp, 2fa, rfc-6238, rfc-4226
🔑 One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator
Stars: ✭ 916 (+756.07%)
Mutual labels:  otp, hotp, two-factor-authentication, 2fa
Totp Cli
A cli-based pass-backed TOTP app
Stars: ✭ 76 (-28.97%)
Mutual labels:  otp, totp, 2fa
Yubikey Manager Qt
Cross-platform application for configuring any YubiKey over all USB interfaces.
Stars: ✭ 137 (+28.04%)
Mutual labels:  otp, hotp, 2fa
Javascript One-Time Password module.
Stars: ✭ 71 (-33.64%)
Mutual labels:  otp, totp, hotp
A highly configurable yet simple to use TOTP based two-factor authentication processing module for SimpleSAMLphp.
Stars: ✭ 16 (-85.05%)
Mutual labels:  totp, two-factor-authentication, 2fa


Build & Test Codacy Badge

A small and easy-to-use one-time password generator for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).

Table of Contents


The following features are supported:

  1. Generation of secrets
  2. Time-based one-time password (TOTP, RFC 6238) generation based on current time, specific time, OTPAuth URI and more for different HMAC algorithms.
  3. HMAC-based one-time password (HOTP, RFC 4226) generation based on counter and OTPAuth URI.
  4. Verification of one-time passwords
  5. Generation of OTP Auth URI's





implementation 'com.github.bastiaanjansen:otp-java:1.3.2'

Scala SBT

libraryDependencies += "com.github.bastiaanjansen" % "otp-java" % "1.3.2"

Apache Ivy

<dependency org="com.github.bastiaanjansen" name="otp-java" rev="1.3.2" />

Or you can download the source from the GitHub releases page.


HOTP (Counter-based one-time passwords)

Initialization HOTP instance

To create a HOTP instance, use the HOTP.Builder class as follows:

HOTP.Builder builder = new HOTP.Builder(secret);
HOTP hotp =;

The above builder creates a HOTP instance with default values for passwordLength = 6 and algorithm = SHA1. Use the builder to change these defaults:

HOTP.Builder builder = new HOTP.Builder(secret);

HOTP hotp =;

When you don't already have a secret, you can let the library generate it:

// To generate a secret with 160 bits
byte[] secret = SecretGenerator.generate();

// To generate a secret with a custom amount of bits
byte[] secret = SecretGenerator.generate(512);

It is also possible to create a HOTP instance based on an OTPAuth URI. When algorithm or digits are not specified, the default values will be used.

URI uri = new URI("otpauth://hotp/issuer?secret=ABCDEFGHIJKLMNOP&algorithm=SHA1&digits=6&counter=8237");
HOTP hotp = HOTP.fromURI(uri);

Get information about the generator:

byte[] secret = hotp.getSecret();
int passwordLength = hotp.getPasswordLength(); // 6
HMACAlgorithm algorithm = hotp.getAlgorithm(); // HMACAlgorithm.SHA1

Generation of HOTP code

After creating an instance of the HOTP class, a code can be generated by using the generate() method:

try {
    int counter = 5;
    String code = hotp.generate(counter);
    // To verify a token:
    boolean isValid = hotp.verify(code, counter);
    // Or verify with a delay window
    boolean isValid = hotp.verify(code, counter, 2);
} catch (IllegalStateException e) {
    // Handle error

TOTP (Time-based one-time passwords)

Initialization TOTP instance

TOTP can accept more paramaters: passwordLength, period, algorithm and secret. The default values are: passwordLength = 6, period = 30 and algorithm = SHA1.

// Generate a secret (or use your own secret)
byte[] secret = SecretGenerator.generate();

TOTP.Builder builder = new TOTP.Builder(secret);

    .withAlgorithm(HMACAlgorithm.SHA1) // SHA256 and SHA512 are also supported

TOTP totp =;

Or create a TOTP instance from an OTPAuth URI:

URI uri = new URI("otpauth://totp/issuer?secret=ABCDEFGHIJKLMNOP&algorithm=SHA1&digits=6&period=30");
TOTP totp = TOTP.fromURI(uri);

Get information about the generator:

byte[] secret = totp.getSecret();
int passwordLength = totp.getPasswordLength(); // 6
HMACAlgorithm algorithm = totp.getAlgorithm(); // HMACAlgorithm.SHA1
Duration period = totp.getPeriod(); // Duration.ofSeconds(30)

Generation of TOTP code

After creating an instance of the TOTP class, a code can be generated by using the now() method, similarly with the HOTP class:

try {
    String code =;
    // To verify a token:
    boolean isValid = totp.verify(code);
} catch (IllegalStateException e) {
    // Handle error

The above code will generate a time-based one-time password based on the current time. The API supports, besides the current time, the creation of codes based on timeSince1970 in seconds, Date, and Instant:

try {
    // Based on current time;
    // Based on specific date Date());
    // Based on seconds past 1970;
    // Based on an instant;
} catch (IllegalStateException e) {
    // Handle error

Generation of OTPAuth URI's

To easily generate a OTPAuth URI for easy on-boarding, use the getURI() method for both HOTP and TOTP. Example for TOTP:

TOTP totp = new TOTP.Builder(secret).build();

URI uri = totp.getURI("issuer", "account"); // otpauth://totp/issuer:account?period=30&digits=6&secret=SECRET&algorithm=SHA1

Recovery Codes

Often, services provide "backup codes" or "recovery codes" which can be used when the user cannot access the 2FA device anymore. Often because 2FA device is a mobile phone, which can be lost or stolen.

Because recovery code generation is not part of the specifications of OTP, it is not possible to generate recovery codes with this library and should be implemented seperately.


OTP-Java is available under the MIT License. See the LICENCE for more info.

Stargazers repo roster for @BastiaanJansen/otp-java

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].