One time passwords (hotp rfc4226, totp rfc6238) as used in two factor authentication systems such as Google's.

Upstream URL


Ben Hyde <>


Apache 2.0


One time passwords provide a way to do authentication based on a shared secret without revealing that secret to spies on the communciation channel.

Two well specified ways of generating OTPs are:

  • HOTP - An HMAC-Based One-Time Password Algorithm, i.e. RFC 4226
  • TOTP - Time-Based One-Time Password Algorithm , i.e. RFC 6238

These are commonly used as one factor in two factor authentication systems. For example Google uses these. For example Google's Authenticator App for most smart phones will generate one time passwords once it has been configured with the shared secret(s) for your account(s).

Cl-one-time-passwords implements HOTP and TOTP in Common Lisp.


  1. Load the code into your lisp image.
  2. Share a secret with Google's Authenticator App on your smart phone by scanning this QDR code:

QR Code

  1. Compair the values that Authenticator is generating with the ones this code generates:
  (totp:totp "48656C6C6F21DEADBEEF48656C6C6F21DEADBEEF")

They ought to be the same, but if your phone and computer clock are out of sync by a N seconds then every 30 seconds for N seconds they won't be the same.

That QR encodes this URL otpauth://totp/ where the secret is the base32 encoding of the secret we passed to totp:totp in step 3, there the value was a 40 character hex number, i.e. 20 bytes.



The number of digits to return in the htop values, defaults to six. See the RFC for details.


The kind of hmac to use. This defaults to :sha1. You can set other values ironclad supports; but my testing currrently indicates it doesn't work. This isn't part of the HOTP spec, but the TOTP spec extends HOTP ... even if nobody usest this extension.

(hotp:hotp <secret> <counter>)

is a string of 20 characters hex digits; more if your using a different hmac sha.


Defaults to zero, a unix time. See the RFC for details.


Defaults to 30, a unix time interval. See the RFC for details.

(totp:totp <secret> &optional offset unix-time)

as in hotp:hotp. The offset defaults to zero. The unix-time defaults to the current unix-time. The offset is used to get totp values nearby times slots, it is in seconds.

See also:


This code as not yet been used in production. I look forward to reports back from the field. :)

Dependencies (2)

  • fiveam
  • ironclad

Dependents (0)

    • GitHub
    • Quicklisp