Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

RFC 4226, "HOTP: An HMAC-Based One-Time Password Algorithm", December 2005

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec
See Also: RFC 4226 w/ inline errata

---

Errata ID: 4994
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Mathias Tausig
Date Reported: 2017-04-14
Verifier Name: Paul Wouters
Date Verified: 2023-08-03

Section 7.2 says:

The HOTP client (hardware or software token) increments its counter
and then calculates the next HOTP value HOTP client.  If the value
received by the authentication server matches the value calculated by
the client, then the HOTP value is validated.  In this case, the
server increments the counter value by one.

If the value received by the server does not match the value
calculated by the client, the server initiate the resynch protocol
(look-ahead window) before it requests another pass.

It should say:

The HOTP client (hardware or software token) increments its counter
and then calculates the next HOTP value HOTP client.  If the value
received by the authentication server matches the value calculated by
the server, then the HOTP value is validated.  In this case, the
server increments the counter value by one.

If the value received by the server does not match the value
calculated by the server, the server initiate the resynch protocol
(look-ahead window) before it requests another pass.

Notes:

The OTP value received by the server is the one calculated by the client.

AD Note: this text still has the stray "HOTP client" string that errata eid 5723 reported.

Report New Errata