_Added in 3.3_ *$hotp(, , [hash], [digits], [encoding])* Returns an HOTP (HMAC-based One-Time Password) based on the specified parameters. _HOTP is designed for hashes no shorter than 160 bits, so using md5 hash is not secure enough and should never be used with $hotp._ _See also [[$totp]], [[$hmac]]._ *Parameters* key - The key to hash. (Auto-detected between text/hex/base32 as described below) count - a unique (sequential) number. valid range 0-2^64-1 hash - Hash method to hash the key with. (sha1, sha256, sha384, sha512, md5, sha1 is default) digits - Number of digits to return. (3 - 10, default is 6) *(AdiIRC only: digits=0 returns entire internal HMAC string)* encoding - Sets encoding method for 'key'. (t = UTF8 plain text, x = hex, a = base32) *(AdiIRC only)* Default when 'encoding' is not used, attempts to support 'key' in several formats as follows: if (key length excluding spaces is any of lengths 40|64|128 and $remove(key,$chr(32)) is hex ) encoding = x if (key length excluding spaces is any of lengths 16|26|32 and $remove(key,$chr(32)) is base32) encoding = a These assume hex keys of 160|256|512 bits, or base32 keys of 80|128|160 bits. all other cases: encoding = t encoding 'x' or 'a' ignore all spaces padding, but 't' does not. All encoding formats reject key being $null or entirely consisting of spaces. Note: definition of base32 is case-insensitive [a-zA-Z2-7] after removing spaces, and '=' padding is NOT allowed Note: It's recommended that the secret 'key' contain entropy no less than the bit length of the 'hash' used. Also, hash blocklength is 64 except for sha512|sha384 having 128. Key is shortened to hash(key) if key is longer than 'blocklength'. i.e. Using key longer than 512 bits with hash=sha1 shortens key to 160 bits: //var -s %key $regsubex(foo,$str(x,65),/x/g,$rand(a,z)) | echo -a $hotp(%key,123) same as $hotp($sha1(%key),123) (Equivalence is due to the length 40 string seen as encoding=x)