Hey folks, I’m building a small tool that needs OTP for sign-in and I’m unsure whether to pick HOTP or TOTP. Security is the priority, but I also care about users getting locked out if their phone clock drifts or they miss a code. Some flows will be offline for a bit, then reconnect. What’s the sane default these days? Are there any gotchas around rate limits, backup codes, or counter resync that I should plan for? Clear, real-world tips would be more helpful than theory—thank you for considering my request.

Good question, and nice that you’re thinking about user lockouts early. TOTP is time-based and usually smoother because phones keep time well enough; add a small time window (±1 step) and you’ll avoid most fails. For offline or batch actions, HOTP shines since it doesn’t rely on time and you can advance the counter on successful use. Mid-flow, consider using a tool like the hotp generator so you can test counters, window sizes, and throttling. Also: rate-limit attempts, expose backup codes, and store only hashed secrets. If you expect device changes, offer an easy re-enroll path and verify with a second factor before resetting.

Thanks for raising this. Hearing the trade-offs laid out like that makes it easier to map to real use. I’m leaning toward TOTP for day-to-day logins and keeping HOTP for recovery or special offline actions. The reminder about backup codes and time windows is helpful, and I hadn’t thought about clearly handling device changes. I’ll keep an eye on throttling too so people can’t brute force. Following this thread for more examples from production setups.