HMAC

HMAC OTP is the abbreviation for Hashed Message Authentication Code One Time Password.

This is based on the HMAC, which is originally used to ensure the integrity of a message. In case of HMAC OTP, the message is composed of a secret HMAC Key, and a counter. An authentication device located with the user knows the HMAC key and the counter. The authentication backend also knows the HMAC key and the counter of the user.

When the user tries to authenticate, the HMAC value is calculated based on the key and the counter. Only this value (the now called OTP value) is transmitted for authentication. The authentication backend is also able to calculate the next OTP value on the basis of the HMAC key and the counter. At the moment it is cryptographically "not possible" to deduce the counter or the HMAC key from the OTP value and thus for an evesdropper, who is not in possession of the HMAC key or the counter, not possible to calculate the next OTP value.

The counter can be event based or time based.

This is a very rough overview, for detailed information please turn to RFC4226.