What distinguishes HMAC-Based One-Time Password (HOTP) from TOTP?

HMAC-Based One-Time Password (HOTP) is distinguished from Time-based One-Time Password (TOTP) fundamentally by its method of generating passwords. HOTP uses a counter-based mechanism for generating one-time passwords, rather than relying on time.

The correct answer highlights that HOTP involves synchronizing a shared secret between the client and the server. Each time a user requests a new password, the counter value is incremented, and the HMAC (Hash-based Message Authentication Code) of the shared secret combined with the counter is computed to generate the OTP. This synchronization ensures that both parties can generate the same password using the same counter and secret, allowing for secure authentication.

The other options do not accurately describe HOTP. For instance, HOTP does not use the current time for calculation, which is a defining feature of TOTP. Additionally, while HOTP might require certain forms of user input for operations, this is not a distinguishing factor between HOTP and TOTP. Finally, HOTP does not inherently rely on external hardware tokens—while it can be implemented on such devices, it is not a requirement and can also be used in software applications.