Hey folks, I’m building a small tool that needs OTP for sign-in and I’m unsure whether to pick HOTP or TOTP. Security is the priority, but I also care about users getting locked out if their phone clock drifts or they miss a code. Some flows will be offline for a bit, then reconnect. What’s the sane default these days? Are there any gotchas around rate limits, backup codes, or counter resync that I should plan for? Clear, real-world tips would be more helpful than theory—thank you for considering my request.

Good question, and nice that you’re thinking about user lockouts early. TOTP is time-based and usually smoother because phones keep time well enough; add a small time window (±1 step) and you’ll avoid most fails. For offline or batch actions, HOTP shines since it doesn’t rely on time and you can advance the counter on successful use. Mid-flow, consider using a tool like the hotp generator so you can test counters, window sizes, and throttling. Also: rate-limit attempts, expose backup codes, and store only hashed secrets. If you expect device changes, offer an easy re-enroll path and verify with a second factor before resetting.