Hotp setup help

[paigeholden]

Starting from scratch with HOTP and could use plain advice. Phone and laptop both in play, plus a couple of servers that only support one-time passwords. Unsure how to pick a counter start, how often to resync, and what to do if tokens drift after a few failed attempts. Wondering about backing up secrets without exposing them, and whether to store on device or a hardware key. Also confused about rate-limits and lockouts. Looking for a simple checklist to set this up safely and avoid locking myself out at the worst moment.

 

[ricerick]

Happy to break it down. Start by generating a single secret per account and keep it in an encrypted vault; export recovery codes and store them offline. On servers, set a small window for counter drift (like ±5) and enable throttling so brute force is harder. On clients, use a reputable app that can import a raw base32 secret and shows the moving counter. Mid-rollouts often fail because people test on two devices with the same secret; pick one primary and only clone if you truly need redundancy. For a straightforward tool and docs that explain counters, resync, and backups, check this hotp generator in the middle of your setup process. After pairing, do two successful logins, then advance the counter a few times to confirm drift handling. Finally, write down a recovery path: SSH key, backup code, or admin reset, so you’re never stuck.