The Proton Blog

OTP bots: How to stay one step ahead

Alanna Alexander — Fri, 29 May 2026 16:48:19 GMT

One-time passcodes (OTPs) are a core part of traditional two-factor authentication (2FA) and multi-factor authentication (MFA).

If you log in to an account or verify a transaction, you’ll receive them by email, SMS, or authenticator apps to confirm your identity.

Now, cybercriminals have found a way to bypass these protections using OTP bots.

What is an OTP bot?

An OTP bot is an automated software program that intercepts or steals one-time passcodes used to verify your identity. The goal is to gain control of your account in what’s known as an account takeover attack (or ATO).

Cybercriminals can buy OTP bot attacks on underground marketplaces, often via Telegram, for as little as $10 per attack. This low-cost, scalable approach lets attackers target many people at once with minimal effort.

How OTP bots work

OTP bots are designed to exploit the time between when you receive a one-time password and when you enter it into the app or website. This window is often less than a minute.

Cybercriminals typically intercept the code in three ways:

OTP bot account takeover via social engineering

The attacker uses stolen or leaked credentials to trigger the OTP step on a legitimate site. A bot then contacts you by SMS or phone call, using a script designed to create urgency — for example, by impersonating a bank’s fraud team. If you share the OTP, the bot passes it to the attacker in real time, giving them access to your account. The attacker can then change the login credentials and lock you out.

OTP bot account takeover via interception

Using stolen credentials to trigger the OTP, the bot attempts to intercept the code before it reaches you. Common methods include:

SIM swap attack: The attacker convinces a mobile carrier to transfer your phone number to a SIM card they control, so SMS codes are delivered directly to them.
API exploitation: The bot targets poorly secured authentication APIs to capture OTPs as they’re generated.
Brute force: The attacker tries all possible combinations of short numeric OTPs, which is possible when the website or app you’re using has not set a limit for repeated requests.

OTP bot account takeover via relay attack

This variation does not rely on stolen credentials. Instead, it tricks you into giving an attacker both your login details and your OTP. You land on a fake website that looks like the real one and enter your credentials. The bot immediately uses those credentials to log in to the real website, which triggers an OTP sent to your phone. The fake website then asks you to enter the code, which the bot relays to the real website in real time. This lets the attacker complete the login before the code expires.

As with the other variations, the attacker can then change the credentials and lock you out of your account.

How an OTP bot can affect your business

The ease of obtaining OTP bot services is likely to increase attacks on businesses. While banking and ecommerce are common targets, any industry can be affected. Small and medium-sized businesses (SMBs) are often targeted more frequently.

Financial losses can be significant, but they are not the only risk you should consider.

As damaging as financial losses can be to an organization, that’s not the only loss that should concern business owners.

Loss of customer trust

Customer trust often drops after a data breach. A 2024 study by Vercara found that 58% of consumers consider affected brands untrustworthy, and 70% would stop shopping with a brand after a security incident.

Regulatory compliance risks

Even if no funds are stolen, your business may face fines for failing to meet data protection requirements. For example, the General Data Protection Regulation (GDPR) applies to any organization that processes the personal data of EU residents, regardless of location or company size. Penalties for non-compliance can be substantial.

How to protect your business from OTP bots

Given that human error is the hardest thing to protect against, businesses should implement as many technical safeguards as possible. These might include:

Rate limiting and throttling

Limit how many one-time passcode (OTP) requests can be made from a single IP address, phone number, or account within a set timeframe. This prevents attackers from flooding your systems with automated requests.

CAPTCHA and behavioral analysis

Use CAPTCHA challenges when suspicious activity appears, and apply behavioral analysis to detect non-human patterns such as rapid form submissions or unrealistic mouse movements.

Device fingerprinting

Track device characteristics to identify repeat offenders and flag devices making multiple OTP requests across different accounts.

Multi-factor authentication beyond OTP

Add stronger authentication methods, such as hardware security keys, biometric verification, or push notifications, to reduce reliance on OTP alone.

API security hardening

Protect your OTP APIs by requiring authentication, signing requests, validating inputs, and using secure communication channels to prevent interception or manipulation.

Monitoring and detection

Monitor usage patterns to identify unusual behavior that may indicate bot activity. Use real-time alerts to catch spikes in OTP requests or unexpected geographic access. Review logs regularly to detect threats early.

How to protect yourself from OTP bots

OTP bots can be dangerous, but you can take simple steps to protect your accounts.

Use strong, unique passwords or passkeys

Use a business password manager to generate and store unique credentials for each account. If possible, use passkeys, which remove the need for one-time passwords (OTPs).

Use a hardware security key

Physical security keys, such as YubiKey, provide strong protection against automated attacks because they require physical access to your device.

Watch for phishing attempts

Be cautious of unsolicited messages that ask for verification codes. An OTP is meant to be entered into a website or app, not shared with anyone.

Monitor your account activity

Check login history and account settings regularly for unusual activity.

Use an authenticator app instead of SMS

Time-based one-time passwords (TOTP) — codes generated by an authenticator app — are more secure than SMS-based OTPs, which can be intercepted through SIM-swapping attacks.

Good password hygiene is your first line of defense

Combining strong technical safeguards with good credential hygiene goes a long way toward keeping attackers out.

A business password manager is one of the simplest and most effective tools you can use — it ensures employees aren’t reusing weak passwords across accounts, which is exactly the kind of vulnerability OTP bots are designed to exploit.

Pair it with phishing-resistant authentication methods and a culture of security awareness, and you make your business a much harder target.

Secure video conferencing for businesses: What to know

Alanna Alexander — Fri, 29 May 2026 16:09:52 GMT

Video conferencing is used by 58% of companies as part of their regular operations. It has allowed businesses to cut travel costs, hire talent from anywhere in the world, and keep teams connected even when they are miles apart.

But every new tool comes with a trade-off. When you move sensitive conversations — like contract negotiations, financial planning, or client strategy — onto the internet, you are also opening a door for potential risks.

Let’s look at how businesses actually use this technology, the hidden risks you need to watch for, and how to choose a tool that protects your reputation.

What is video conferencing?

You’ve likely heard the term “video conferencing” everywhere lately. If you’re a business owner who has traditionally relied on phone calls or in-person meetings, you might be wondering: “Do I really need this?” or “How do I do it without exposing my business to risk?”.

Video conferencing is a real-time technology to host meetings via live video and audio over the internet. Instead of driving across town or booking a flight, you use a computer or smartphone to see and hear your colleagues or clients in real-time.

How do businesses use video conferencing in their daily operations?

Video calls have replaced many traditional in-person interactions. Here is how they help your business run smoother:

Keeping teams aligned

Whether your team is in the next office or on the other side of the globe, video calls prevent the “out of sight, out of mind” problem. Seeing faces helps catch misunderstandings early — something that often gets lost in long email chains. This keeps projects on track and prevents costly rework.

Building trust with clients

Waiting weeks to schedule an in-person meeting can kill momentum. Video conferencing lets you connect with a client immediately. You can read their body language, share your screen to walk them through a proposal, and build the personal rapport that closes deals. It feels professional and personal, without the travel expense.

Hiring the best talent, faster

You don’t have to limit your hiring to people who live within commuting distance. Video interviews let you conduct thorough, face-to-face assessments with candidates anywhere in the world. This speeds up your hiring process, ensuring you don’t lose top talent to competitors who move faster.

Making decisions when it matters

When a crisis hits or a market opportunity opens up, you can’t wait for your leadership team to gather in a boardroom. Video calls allow you to bring key decision-makers together instantly, so you can act decisively and protect your business interests.

The hidden security risks of video conferencing services

While video conferencing offers huge benefits, it introduces new challenges that many business owners overlook.

Because these conversations travel across the internet, they can be intercepted if not properly secured.

The “open door” problem

Most mainstream video platforms encrypt your call while it travels, but they decrypt it on their servers. This means the company hosting the call — and anyone who hacks their server — could technically access your conversation. If you work with confidential client data or proprietary strategies, this is a significant risk.

Data collection and privacy

Some free or ad-supported platforms collect data from your calls to train their AI or serve you targeted ads. This means your sensitive business discussions could be stored, analyzed, or shared without your explicit knowledge.

Compliance and legal risks

If you operate in a regulated industry (like finance, healthcare, or law), using an insecure platform can lead to serious trouble. Violating data protection laws like GDPR or HIPAA can result in heavy fines, legal liability, and damage to your professional reputation.

The “third-party” trap

Many tools integrate with other apps (like calendars or project management software). While convenient, these third-party connections often operate under their own privacy policies, creating blind spots where your data could be exposed.

How to choose the right video conferencing tool for your business

You don’t need to be a tech expert to make a smart choice. When evaluating video conferencing tools, answer these six questions:

Does it meet your basic needs?

Strike the right balance between overpaying for features you won’t use and settling for a tool that crashes during a client pitch.

Is it easy to use?

If your team can join a call in seconds, and where your clients can join without needing to download complex software or create an account, it will become their go-to way to communicate.

How are your calls secured?

Calls that are end-to-end encrypted means no one in the middle — not even the provider — can see or hear it.

Where is your data stored?

Data laws vary by country. Providers based in countries with strong privacy laws (like Switzerland) offer better legal protection against government overreach and weak data regulations.

Is the provider trustworthy?

If a service is free, you might be the product. Check the provider’s reputation. Do they have a history of prioritizing privacy? Are their security claims independently audited?

Does it integrate safely?

If you need integrations, ensure they don’t create unnecessary security gaps. Sometimes, a standalone secure tool is safer than a “suite” that shares data across many apps.

Protect your business with secure video conferencing software

The “easy” solution is to grab the most popular free tool. But the path of least resistance can come with hidden costs to your security and reputation.

If you treat your client data and business conversations with the same care you treat your physical office, you need a tool built for that level of trust.

Proton Meet was built by the team behind Proton Mail with this exact philosophy. It is designed for businesses that cannot afford to compromise on privacy.

Encryption by default: Every call is protected with end-to-end encryption. No one — not even Proton — can access your conversations.
Zero data collection: Your calls are not used to train AI or serve ads.
Swiss privacy laws: Hosted in Switzerland, your data enjoys some of the strongest legal protections in the world.
Open source: Our code is open-source for independent experts to audit, proving our security claims.

You can host sensitive business discussions, onboard new hires, or close deals with clients knowing that your conversations remain strictly between you and them.

Frequently asked questions

What is the difference between video conferencing and video calling?

People often use the terms interchangeably. Generally, “video calling” refers to a one-on-one chat, while “video conferencing” implies a group meeting with features like screen sharing and participant controls. However, most modern tools handle both seamlessly.

Is video conferencing secure?

It depends entirely on the tool you choose. Many popular platforms are not secure for sensitive business data. Tools like Proton Meet use end-to-end encryption to ensure that only you and your participants can access the call, making it a secure choice for business.

Which platform is best for video conferencing?

For businesses that prioritize security and privacy, Proton Meet is the top choice. It offers the familiar features you expect — screen sharing, high-quality video, and ease of use — but with a privacy-first design that ensures your data is never sold, shared, or accessed by third parties.

AI compliance tools: What small businesses need to know

Alanna Alexander — Fri, 29 May 2026 15:26:37 GMT

AI compliance is still emerging as a topic, but regulations like the EU AI Act make compliance compulsory.

However, many AI tools weren’t built to be compliance-ready. They log conversations, use your data for training, and provide little transparency about where your data ends up. That creates significant compliance risks for businesses adopting new AI technologies.

This guide explains what AI compliance is, how to choose the right tools, and how to stay compliant over time.

What is AI compliance?

AI compliance means using business AI assistants and other tools responsibly while meeting legal and ethical requirements. It differs from traditional data security compliance.

AI systems don’t just store your data; they also process it and learn from it, which creates new risks for businesses. Your business data could be used to train models, shape their outputs, or even appear in responses for other users.

According to McKinsey’s 2026 AI Trust Maturity Survey, awareness is outpacing action. Across every risk category, mitigation lags behind awareness. For example, 54% of respondents identify personal privacy as a relevant AI security risk, but only 44% are actively working to mitigate it.

AI compliance addresses these risks by focusing on:

Protecting personal data and privacy
Securing data against unauthorized access
Ensuring transparency in AI decision-making
Preventing discrimination and bias

Why AI compliance matters

The regulatory landscape for AI is evolving quickly, alongside the technology itself. In 2024, the EU AI Act came into effect as the first comprehensive AI regulatory framework.

It bans certain uses of AI and places strict requirements on others. For example, some systems must clearly disclose that people are interacting with AI.

While most countries do not yet have comprehensive AI laws, existing regulations may still apply at national or regional levels. Frameworks like GDPR and HIPAA already restrict how you can use personal data, including in AI systems.

AI compliance is not just about avoiding fines. It also helps you maintain trust and reduce legal risk. If AI systems produce biased or incorrect outcomes, you risk losing customer trust, facing regulatory scrutiny, or opening yourself up to legal action.

How to choose the right AI tools for small businesses

Choosing compliant AI tools isn’t fundamentally different from choosing a tool that handles sensitive data. As we covered earlier, AI systems don’t just store data; they learn from it and can expose it in unexpected ways.

Here’s what to focus on:

Data protection and privacy

Choose tools that encrypt your data and comply with regulations such as GDPR. Vendors should be transparent about where your data is stored, who can access it, and whether it is used to train AI models. Make sure you can delete your data when needed.

Transparency and control

Choose tools that explain how decisions are made and allow for human oversight. This helps you justify outcomes to customers or regulators and ensures you retain control when needed.

Fairness and ethical use

Choose tools that include safeguards to reduce bias and discrimination, especially for sensitive use cases like hiring or customer support. Vendors should also be able to explain how they test for fairness and address issues when they arise.

Compliance support

Choose tools that align with your industry regulatory requirements and provide documentation for audits. This makes it easier to demonstrate compliance, especially in regulated sectors like healthcare.

Best practices for maintaining AI compliance

Choosing the right tools is just one part of the equation. The other half is staying compliant, which requires ongoing effort.

Establish AI guidelines

The infamous 2023 Samsung-ChatGPT leak occurred when employees accidentally shared confidential trade secrets by pasting them into ChatGPT. It’s an incident that could have been prevented with established AI guidelines.

AI guidelines let your team know what’s acceptable and what isn’t when it comes to AI use. Your AI policy should cover which tools are approved, what they can be used for, and what data can and cannot be shared with them. Also, assign someone to maintain and update these guidelines as regulations and technology evolve.

Keep records of AI usage

If you can’t show how AI is being used in your business, you’ll struggle to respond when regulators or auditors ask questions. Track which tools are in use, what decisions they’re influencing, and any significant outputs. Where possible, ask vendors for usage logs and model update reports to simplify documentation.

Minimize and anonymize data

The less personal data you feed into AI systems, the lower your risk. Only share what’s necessary for the task, and strip out identifying details like names and addresses where possible. And make sure you have explicit permission before using customer or employee data with AI tools — don’t assume consent.

Monitor for unfair treatment

AI systems can develop biases from historical data, even when those biases are unintended. You should regularly review output for discriminatory patterns that disadvantage people by age, gender, race, sexuality, or other characteristics.

Amazon scrapped an AI recruiting tool in 2018 after discovering it downgraded resumes from women. The system had been trained on a decade of historical resumes — most from men — and learned to treat male candidates as the standard for success, penalizing resumes that deviated from that pattern.

How Proton helps businesses achieve strong AI compliance

AI may be a new frontier, but the fundamentals of compliance remain the same — strong data management, clear access control, and visibility over how your information is used.

Proton for Business is a suite of team collaboration tools built on these principles and extends them to AI with Lumo, our privacy-first AI assistant.

Keep full control of your data with Lumo

Need to summarize a confidential contract, brainstorm a sensitive business strategy, or analyze financial documents? With most AI tools, that’s risky — your inputs could be logged, used for training, or accessed by third parties.

Lumo is a business AI assistant that lets you work with sensitive information freely. No logs, no training on your data, and everything encrypted so only you can read it.

Manage credentials with Proton Pass

When employees share passwords over email or keep them in spreadsheets, you lose visibility over who has access to what — and that’s a compliance liability.

Our business password manager, Proton Pass, gives you a secure way to manage and share credentials, with clear oversight over access. When someone leaves, revoking their access only takes seconds.

Keep your files private with Proton Drive

Enjoy the productivity benefits of AI without the compliance challenges.

Proton Drive is a business cloud storage solution that integrates directly with Lumo, so your files stay within an end-to-end encrypted environment, allowing you to use AI with client documents or financial records without exposing them to third parties.

Protect your network with Proton VPN

When your team accesses AI tools or business systems from outside the office, unsecured networks create gaps in your data protection.

A business VPN encrypts their connections, keeping sensitive information protected in transit. And with a strict no-logs policy, there’s no record of your team’s activity that could be exposed or subpoenaed.

Backed by Swiss privacy laws

As a Swiss company, Proton operates under strong privacy protections. This limits external access to your data and helps safeguard your business.

Protect your business and ensure AI compliance with a secure business suite

With Proton Workspace, your business gets access to secure email, cloud storage, a password manager, VPN protection, and a private AI assistant. Proton’s entire ecosystem works together to keep your business private and compliant.

You can now use your Gmail account in Proton Mail

Anant Vijay Singh — Thu, 28 May 2026 11:44:19 GMT

The case for leaving Gmail is well-established. Google scans all your Gmail activity to build advertising profiles that follow you across the internet and tie all of your activity to you.

Breaking up with Gmail overnight and making the transition to a privacy-first email provider, however, might not seem so easy, because it means informing all of your contacts and updating your email across possibly dozens of other services. To make switching from Gmail easier, you can now send emails from your Gmail address directly inside Proton Mail.

When you activate this feature, your latest Gmail messages will be imported into Proton Mail, so you have your recent conversations and updates right there with you. New emails received in your Gmail will then continue to appear in your Proton Mail inbox automatically.

Unlike Gmail, Proton doesn’t scan your emails, serve you ads, use your data for AI training, or build profiles on your correspondence. Your inbox is yours, not a data source. And the more you shift to your Proton address, such as services like Netflix and Amazon, the less Google has on you.

A more private way to use Gmail

This new feature allows you to check your Gmail inbox directly from Proton Mail, meaning you don’t need to go back to the Gmail app, which brings about several privacy benefits.

Proton strips trackers, ads and spam from your emails, giving you greater privacy compared to Gmail, which is basically adware. The Gmail app gathers an immense amount of data about you, and by Google’s own admission, uses your approximate location to show you more relevant ads, all of which is prevented by switching to the Proton Mail app.

Google will no longer be able to use your email activity, such as which emails you read and engage with, to build a profile about you. When your friends and family use Proton Mail too, messages exchanged between Gmail addresses connected to Proton become end-to-end encrypted, so Google will not be able to read your data anymore. That’s why it’s worth inviting the people you email most to join Proton and connect their Gmail accounts.

Connect Gmail in Proton Mail now

Not on Proton Mail yet? Create a free account.

This feature is rolling out gradually. If you don’t see it in your Proton Mail settings yet, it’s on its way.

Set it up easily

Open Import via Easy Switch in your Proton Mail settings.
Connect your Gmail account.

Find out how to move from Gmail to Proton Mail.

Connecting your Gmail does not give Google access to your Proton Mail inbox, so your privacy remains fully intact and protected.

An easier transition towards ditching Big Tech

For privacy and ethical reasons, it is better to ditch Big Tech entirely. Using Gmail from within Proton Mail does not solve some of the longstanding privacy issues with Gmail. Google is still reading every email received by your Gmail account, including any sensitive personal communications you might receive there.

Once your important accounts are updated and Gmail is only getting your spam, you can disconnect Gmail from Proton Mail entirely for a cleaner inbox experience and delete your Google account.

Connect Gmail in Proton Mail now

Not on Proton Mail yet? Create a free account.

In addition to Gmail, you can import your emails from Outlook, Yahoo and Apple Mail, using Easy Switch or our import tool, making it easier to consolidate your digital life in one place.

By using Gmail from within Proton Mail, you can gradually transition away. Every account you update to use your Proton Mail address instead of Gmail is one less source of data for Google’s gigantic data harvesting machine.

How to block websites on Chrome: A step-by-step guide for parents

Ben Wolford — Wed, 27 May 2026 16:00:10 GMT

It’s only getting harder to manage screen time for kids — whether it’s setting up time limits, or making sure they don’t access inappropriate content. Sometimes you’ll think you’ve covered your bases by blocking access to an app (like YouTube or game apps like Roblox), but it turns out they’ve found a workaround by accessing the same content through their browser.

If you need to block a website on your Chrome browser, it’s important to note that Chrome doesn’t have a built-in way to do this, so we’ll share a few different approaches for both desktop and mobile.

Why would I need to block a website on Chrome?

There are any number of reasons why you might want to block websites on Chrome. These might include:

To block inappropriate content
To limit screen time
To prevent access to social media
To block access to certain games

Blocking access to specific websites can be an important part of your approach to limiting screen time and protecting your child’s mental health.

Options for blocking websites on Chrome

Here’s a quick overview of your options before we go into detail for each one.

Option	Ease of use	Devices impacted
Family Link	Simple	Mobile and desktop
Chrome extensions	Simple	Desktop
Device-level settings	Simple	Mobile
Router-level blocking	Difficult	All devices

How to block websites on Chrome with Google Family Link

Family Link is the most robust free option for parents, and it’s pretty simple to set up. You can use the Family Link categories to block sites, or add individual websites.

Create a Gmail account for your child using Family Link
Open Family Link and select your child’s profile
Tap Controls > Google Chrome and Web
Choose one of the existing settings (Allow all sites, Try to block explicit sites, or Only allow approved sites)
Select Approved sites and Blocked sites under “Manage sites” to add approved and or blocked websites

This option works across desktop and mobile, provided your child is signed into their Google account. If you have an older device, however, you should check to confirm it’s compatible.
Google’s SafeSearch is another feature that helps you manage explicit content in your child’s search results. If your child is logged in to their Google account with their correct age (and is under 18), this feature will already be toggled on to the Filter setting, which blocks any explicit content that’s been detected.

Parent tip: Once your child turns 13 they can opt for an unsupervised Gmail account, meaning you can no longer manage their account. They can then visit the previously blocked websites, and adjust the SafeSearch settings.

How to use Chrome extensions to block websites

Installing a Chrome extension is the most popular method if you only need to worry about desktop solutions. These extensions generally allow you to be more granular about permissions, so you can block websites at certain times (for example overnight, or during homework times) and allow them at others.

Choose an extension and install it
Add the URLs for the websites you’d like to block
Set a password so that your kids can’t disable the extension
Optional: Set time usage limits for sites, set blocking schedules, or block by category

Some commonly recommended extensions include BlockSite and Stay Focusd, however, you should do your due diligence and make sure the extension you choose meets your needs and gets a good rating in the Google Play or App Store. Note that while many of them are technically free, you’ll probably need to pay in order to block more than one or two sites.

Parent tip: Chrome extensions won’t work if your child switches to another browser.

How to block websites on Chrome Mobile

If you only need to block websites on mobile devices, or want to supplement your Chrome extension solution, here’s how you can go about blocking sites on your child’s mobile device:

Android devices

The Digital Wellbeing and parental controls settings on Android allow you to adjust how long they can spend on each site, but if you’re looking for more targeted control, you’ll need to download Google’s Family Link app, which integrates with Android’s Digital Wellbeing.

Parent tip: Digital Wellbeing’s website filtering applies to the Chrome browser. If your child decides to use a different browser, you may need to block those browser apps entirely through Family Link’s app controls.

iPhone/iPad

The Screen Time settings offer a lot of control over what your kids can see on their devices, including the ability to block websites.

Navigate to Screen Time, scroll down to Family and select your child’s name
Scroll down and select Content & Privacy Restrictions
Ensure this option is toggled on and tap App Store, Media, Web & Games
Select Web Content and choose your preferred settings

Parent tip: These settings apply to everything on the iPhone or iPad, not just websites accessed using Google Chrome.

How to block websites on Chrome using your router

For parents who want to block sites across every device in the house, including gaming consoles, smart TVs, and more, you may be able to do this by updating your router settings. This is a more advanced option, but most routers have an app you can download, which makes the process slightly easier.

These are the steps for the ASUS router, which allows you to block categories, such as pornography and gambling, rather than specific pages.

Tap on the Family tab
Add a profile using the + on the top right of the screen
Choose the age range that’s appropriate
Add all the devices that you want grouped under that profile
Select the time scheduling mode
Go into the new profile and select Content Block
Block all relevant categories

We recommend looking up the specific steps for your home router as the level of customization varies across devices and models.

Parent tip: Kids can circumvent router blocks by using mobile data.

What you can’t block (and what to do instead)

Kids are digital natives, and they’re shockingly good at finding workarounds when it comes to technical blockers; lock down Chrome and they may download another browser or use a friend’s device. Parental controls are important, including for social media, but they work best alongside open conversations about internet safety and digital literacy.

If you’re using multiple services to manage your child’s online activity, you may find it useful to use a secure password manager to keep all your logins in one place. Proton Pass also offers a dedicated family password manager that can help you share and manage family logins.

Parent tip: While these are all good options for preventing your child from seeing inappropriate content on Google Chrome, using Google products leaves your child vulnerable to Google’s data collection, tracking, and profiling. You may want to consider looking into a privacy-focused browser..

FAQ: Blocking websites on Chrome

Can I block websites on Chrome without an extension?

Yes, the best way to block websites on Chrome without an extension is to use the Family Link app.

How do I block websites on Chrome on my child’s phone?

To block websites on your child’s phone, you can use the Family Link app on Android or iOS, or update the Screen Time settings on iOS devices.

How do I stop my child from unblocking websites?

The Family Link restrictions are tied to your Google account, so your child can’t change Chrome’s filter settings without parental approval. However, this doesn’t mean they won’t attempt to access websites on a browser other than Chrome, or on a device that isn’t covered by parental controls. It’s best to pair technical solutions with conversations around what’s appropriate and why.

Does blocking work in incognito mode?

If your child is signed in to Chrome with an account managed by Family Link, then incognito mode is not available to them.

Is there a free way to block websites on Chrome?

Yes, Family Link is free, and there are some Chrome extensions that offer basic site blocking at no cost, although you’ll have to pay to get the really useful features.

Can you shop safely on Facebook Marketplace? Common scams to watch out for

Ben Wolford — Wed, 27 May 2026 15:18:55 GMT

Who doesn’t love snagging a bargain online? It’s easy on the wallet, kinder to the planet, and you often uncover unique pieces.  But buying from strangers on the internet carries risks that you rarely encounter in brick‑and‑mortar stores or with established brands.

To help you shop safely, we’ll share the most common fraud tactics you’ll find on Facebook Marketplace, how to report sellers, and some clear, actionable steps to stay safe while shopping on the platform.

What is Facebook Marketplace?

Facebook Marketplace is the social network’s built-in classifieds hub, allowing anyone to list or browse items within their Facebook account. Because listings are linked to a real Facebook profile, you can see the seller’s name, profile picture, and any mutual friends.

This information can lend a sense of legitimacy, but can also be fabricated by scammers who exploit the platform’s openness. Fake messages and fake ads on Facebook and sister company Instagram have proliferated in recent years. In 2025, reporting from Reuters proved that scam ads actually account for 10% of Meta’s income.

Common Facebook Marketplace scams and how to avoid them

There are endless ways scammers can try to defraud genuine buyers and sellers on Facebook Marketplace, but these are some of the more common scams to watch out for.

Gift card payment scams

Target: Buyers and sellers

There are a few variations on this scam:

After agreeing to purchase an item, the bogus buyer claims to have “accidentally” sent too much money. They ask for a refund of the excess amount, often via a gift card code, but after the seller provides the refund, the original payment is reported as fraud and reversed.
The bogus seller requests payment via a gift card instead of a payment platform that offers buyer protection. The scammer immediately uses the gift card, doesn’t send the item, and the buyer has no recourse to recover the money.
The bogus seller is offering a gift card below cost, for example, a $100 App Store gift card for $80. After the buyer purchases it, they discover the gift card is fake or already used.

Too-good‑to‑be‑true pricing

Target: Buyers

You come across a listing for something where the price is far below market value. After you pay, the seller disappears, or the item delivered is counterfeit or of poor quality.

Deposit scams

Target: Buyers

Often combined with the pricing scam, a seller will list an item at an incredibly low price. They then claim they’ve had a lot of interest in the item and will require you to pay a deposit to hold it, or miss out. Once the buyer pays the deposit, the listing and the seller will disappear.

Phishing scams

Target: Buyers and sellers

Scammers masquerade as buyers or sellers to send convincing “secure checkout” links to make or request payment. Because the interaction happens through Messenger, it’s easy for the target to assume a malicious link is valid. If you manually enter your details into the bogus link (rather than using a password manager), you may unwittingly share your private credentials with the scammer.

Facebook Marketplace scam red flags

These signs aren’t definitive confirmation of a scam, but rather a sign to proceed with caution.

Payment requests with no buyer protection

Payment methods that don’t offer buyer protection include PayPal Family and Friends, wire transfers, gift cards, and cash.

Stock photos of items in listings

You can ask the seller to take some new photos of the item, and if you’re suspicious, ask them to include a piece of paper with the date and their name written on it in the photo.

Urgent language

Anything that requires you to act fast and bypass your better judgment or normal processes should be a red flag.

Newly created Facebook accounts

Scammers often have to create new accounts after being reported. A newly created profile, with very few friends or followers and no other listings, is a definite red flag.

Your password manager doesn’t autofill your credentials

If you have a PayPal account but your password manager doesn’t fill in your details when you use the PayPal link the seller shares, the link may be a phishing or spoofed site. When a password manager refuses to autofill, it means the URL you’re looking at doesn’t match the legitimate PayPal domain (paypal.com vs. paypa1.com).

Which payment method should you use on Facebook Marketplace?

Choosing the right way to send and receive money is the biggest factor in staying safe on Facebook Marketplace. We’ve outlined the most common options, the protection each offers, and the red flags to watch for.

Payment option	How it works on Marketplace	Buyer‑protection level	When to use	Red flags
Meta Pay (formerly Facebook Pay)	Built into the Messenger checkout flow, you link a credit/debit card or bank account once and then pay with a single tap.	Full protection; Meta handles disputes, and you can request a refund if the item isn’t delivered or is not as described.	Ideal for most transactions, provided both parties have access to it.	Be sure the payment screen shows the official Meta Pay branding and correct URL.
PayPal – Goods & Services	Select the “Pay for goods/services” option to ensure the payment goes through PayPal’s protected channel.	Full protection; you can open a dispute within 180 days, and PayPal may reimburse you if the seller fails to deliver.	Good for higher‑value items or when parties don’t have access to Meta Pay.	Scammers often request to use the Friends & Family option, as it doesn’t offer buyer protection.
Credit or debit card	Enter card details on the Meta Pay checkout or a seller‑provided secure payment page.	Card‑issuer chargeback rights; most banks allow you to dispute unauthorized payments or undelivered goods.	Useful when the seller insists on a custom checkout page that you recognize as legitimate (for example, a verified Stripe link).	Beware of unfamiliar URLs that mimic PayPal or Stripe; a password manager will refuse to autofill on mismatched domains.
Apple Pay / Google Pay	Mobile wallets that tokenize your card details; supported where the seller uses Meta Pay or a compatible checkout.	Same protection as the underlying card, plus tokenization reduces exposure of your raw card number.	Convenient for mobile‑first shoppers who already have these wallets set up.	Only use when the checkout clearly indicates Apple Pay or Google Pay; never click a link that redirects to a plain‑HTML “payment” page.
Cash	Hand the money to the seller when you meet at a public location.	No digital protection – you rely entirely on the physical exchange.	Acceptable for large items where postage isn’t an option.	Avoid meeting in secluded places, and take someone with you if possible.

How does a password manager help protect against Facebook Marketplace phishing scams?

By pairing a protected payment method with a robust password manager like Proton pass, you dramatically reduce the attack surface that scammers rely on.

Domain‑locked autofill: Your credentials are injected only on the exact URL you saved. If a scammer sends a fake PayPal link, the manager won’t fill in your password, alerting you to the mismatch.

Secure vault for payment details: Store credit card numbers, billing addresses, and even one‑time virtual cards in an encrypted vault. You can copy‑paste the data into a verified checkout without ever typing it on a malicious page.

Unique passwords per service: If a phishing site somehow captures a password, the breach won’t affect your other accounts because each service uses a distinct login.

How to report a Facebook Marketplace seller or listing

Reporting a listing on the Facebook app

Select the Marketplace icon
Open the listing you want to report
Tap the three dots on the top right corner
Select Report listing

Reporting a seller on the Facebook app

Select the Marketplace icon
Open a listing from the seller you want to report
Scroll down to the seller details and tap on the seller name
Tap the three dots next to View profile

Select Report.

Reporting a seller or listing on the Facebook website

Open Marketplace
Open the listing you want to report
Tap the three dots on the top right corner
Select Report listing or Report seller

Alternatively you can report from within your Facebook Messenger chat window, by tapping the three dots, and selecting Report.

Best practices for staying safe on Facebook Marketplace

So, is Facebook Marketplace safe? With the right precautions, the answer is a qualified yes.

Here are some easy ways to make your shopping experience safer:

Always use a payment gateway with buyer and seller protection and verify any payment links shared by sellers.
Do your due diligence — check the Facebook profile of the person you’re dealing with to see if it’s newly created, has any reviews, and whether any other items have been listed, bought, or sold.
Don’t give out bank details, phone numbers, or other personal information, and use a password manager to keep your private information secure.
If you’re meeting in person, choose a public, well‑lit spot like a coffee shop (if possible), bring a friend, and inspect the item properly before paying.

How to change your WiFi password

Ben Wolford — Wed, 27 May 2026 14:37:30 GMT

Changing your WiFi password every 3-6 months is considered best practice, but many of us are guilty of setting and forgetting. It’s not hard to update, though, and can protect you from security headaches ranging from bandwidth theft to device exploitation.

We’ll cover which scenarios prompt a WiFi password reset and how to reset your password on your router and update it across your devices.

When it’s a good idea to change your WiFi password

Changing the WiFi password on popular home routers

Changing WiFi password on Windows 10/11

Changing WiFi password on macOS

Changing WiFi password on Android

Changing WiFi password on iOS

Should I change my WiFi network name (SSID)?

When it’s a good idea to change your WiFi password

Aside from updating your WiFi password every 3-6 months, some specific events should trigger a password reset.

After a guest leaves

If you share your WiFi password with anyone who’s not a member of your household, you’ll want to change it after they leave. At the same time, you could set up a guest account for future guests.

If you suspect a device is compromised

A compromised device can capture your WiFi password, sniff traffic, or act as a bridge for attackers to reach other devices on the same network.

When you receive a firmware update that resets settings

It might be tempting to ignore updates, but router manufacturers regularly issue firmware updates to patch security vulnerabilities, improve stability, or add new features.

If you notice unknown devices on your network

It’s a good idea to check your network devices periodically. Seeing unfamiliar MAC addresses or device names in your router’s connected‑device list is an indication that someone may have joined your WiFi without permission.

Changing the WiFi password on popular home routers

Many routers have a dedicated app for managing them. Using the app is generally recommended over the website, and makes it fairly straightforward to see devices and traffic on your network, as well as to change your password and network name.

ASUS routers

ASUS has one app that works across all ASUS routers, available for download from their website, the App Store, or Google Play.

Open the app and select Settings
Select WiFi > Wireless Settings > Network Settings
Add your new password in the Network Key field
Tap Apply

(Steps may vary slightly depending on your firmware.)

What if I can’t use the app?

Connect your computer to your router
Open a browser and go to http://www.asusrouter.com or type your router’s IP address directly
Log in using your router username and password
Navigate to:

For firmware (>3.0.0.6.102_35404): Network > Main network profile

For firmware (<3.0.0.6.102_35404): Wireless > General

Select WPA Pre-Shared Key (Password) and enter your new password
Click Apply

ASUS support page

NETGEAR routers

NETGEAR has separate apps for Nighthawk and Orbi Mesh routers. Select your NETGEAR router type and download the app from their website, the App Store, or Google Play. Although the apps are different, the steps are the same.

Open the app and select WiFi Settings
Select the WiFi network you want to update
Enter your new password
Tap Save

What if I can’t use the app?

Connect your computer to your router
Open a browser and go to the appropriate URL or type your router’s IP in directly

Nighthawk: www.routerlogin.net or www.routerlogin.com

Orbi: www.orbilogin.com

Log in using your router username and password
1. Nighthawk: Select Wireless
2. Omni: Select Basic > Wireless
Enter your new password in the Password (Network Key) field
Click Apply

NETGEAR support page

Verizon routers

Download the Verizon Home app – available in the Apple App Store and Google Play.

Launch the app and log in with your My Verizon credentials
In Connections, tap Network
Select Primary tab > Edit Wi-Fi
Enter your new password in the Wi-Fi password field
Tap Save changes

What if I can’t use the app?

As long as you don’t have a Fios Quantum Gateway or a Verizon Fios Advanced router, you should be able to change the WiFi password manually.

Open a browser and enter 192.168.1.1
Log in using your router username and password
Follow the onscreen directions (or refer to your router user guide)

Verizon support page

TP-Link routers

You can download TP-Link’s Tether app from their website, the  App Store, or Google Play.

Launch the app and log in with your TP-Link credentials
Tap Tools > Wireless
Enter a new password in the Password field
Tap Save

What if I can’t use the app?

Connect your computer to your router
Open a browser and go to http://tplinkwifi.net or type your router’s IP address directly
Log in with your router username and password
In the left‑hand menu, select Wireless > Wireless Settings
Enter your new password in the Password / Pre‑Shared Key field
Click Save

If your router isn’t included here, you should be able to find the instructions by searching “[router name] change WiFi password” or similar.

And of course, once you’ve changed your WiFi password on your router, you’ll need to update the password in your password manager and across your devices.

Changing WiFi password on Windows 10/11

Click the WiFi icon in the taskbar and select Network & Internet settings
Choose Wi‑Fi > Manage known networks
Find your network and click the three‑dot menu > Forget
Return to the WiFi icon, click your network name, and enter the new password
Select Connect automatically if you want to auto-join in the future

Changing WiFi password on macOS

Open System Settings > Wi-Fi
Next to your network name, select Details…
Scroll to the bottom and select Forget This Network… > Remove
Reselect your network and enter your new password
Select Remember this network to auto-join in the future

Changing WiFi password on Android

Open Settings > Network & internet > WiFi
Tap the gear icon next to your network > Forget
Select the network name and enter your new password

Changing WiFi password on iOS

Open Settings > Wi‑Fi
Tap the information button next to your network and choose Forget This Network > Delete > OK
Return to the Wi-Fi screen, tap your network name, and type the new password
Select Auto‑Join if you want your device to reconnect automatically

We’ve also written a guide about how to share your WiFi password.

Should I change my WiFi network name (SSID)?

Your WiFi network name, officially known as the service set identifier (SSID), doesn’t need to be changed regularly, but you should change your SSID from the default setting.

SSID best practices

Skip the generic router labels. Names like “NETGEAR_47” or “Linksys123” hand over clues to anyone scanning for networks. Pick a unique, non‑descriptive SSID that doesn’t give attackers a head start.
Give your network a distinct identity. Changing the default SSID thwarts “Evil Twin” attacks, where malicious actors clone popular router names to lure unsuspecting users onto a rogue hotspot.
Don’t rely on hiding alone. Disabling SSID broadcast adds a layer of obscurity, but it isn’t a real security barrier. Skilled adversaries can still discover hidden networks with the right tools.
Keep personal details out of the mix. Avoid using your name, street address, birthdate, or any other identifying information in the SSID. A clean, anonymous network name protects your privacy and reduces the risk of targeted attacks.

HOTP vs TOTP vs OTP: What do you need to know?

Kate Menzies — Wed, 27 May 2026 13:20:28 GMT

Authenticator apps, hardware tokens, and SMS codes are common authentication methods you’d encounter when setting up two-factor authentication (2FA). All of them rely on one-time passwords (OTP). TOTP and HOTP are two standardized types of OTPs, while SMS and email codes are other common OTP delivery methods. Although they fundamentally serve the same basic purpose, their implementations differ, giving them unique benefits and limitations. In this article, we’ll break down HOTP vs TOTP vs OTP and explain which option makes most sense for different use cases.

Understanding HOTP, TOTP, and OTP

One-time password (OTP)

OTPs are temporary codes, sometimes referred to as single-use passwords or 2FA codes, that are used only once. They don’t replace passwords; instead, they provide an additional layer of security. OTPs are commonly used in banking applications for identity verification during logins or when setting up an online account.

Note: OTP is the umbrella term for various forms of single-use passwords, including TOTP, HOTP, and email/SMS.

Time-based one-time password (TOTP)

TOTP codes are typically 6-digit codes generated by authenticator apps. They’re valid for around 30 seconds (sometimes up to 60 seconds, depending on the service). When a code expires, it is no longer functional, and a new one is generated. The time-based nature of TOTP makes it highly secure, as it limits the window of opportunity for attackers to use any stolen code.

HMAC-based one-time password (HOTP)

HOTPs are commonly found in hardware tokens like YubiKeys and rely on a counter-based system to generate codes. This system works in a similar fashion to a book of numbered vouchers — there’s a running order of codes that gets matched against the system. As long as the hardware token and application server remain in sync, you’re granted access.

Unlike TOTP, HOTP codes do not expire on a timer. They remain valid until you use it or generate a new code. This makes it ideal for offline scenarios, but it also means if you generate a code and don’t use it, it remains a valid key that an attacker could find and use.

HOTP, TOTP, and OTP: Key differences

TOTP and HOTP are both types of OTPs with different generation methods. For example, if you’re comparing TOTP against OTP, you’re likely comparing the time-based codes from authenticator apps against general OTP methods like SMS and email codes.

	SMS/Email codes	TOTP	HOTP
Code validity	Varies (minutes to hours)	30 to 60 seconds	Until a new code is generated
Security*	Low	High	Moderate
Setup complexity	None	Low	Moderate
Active network requirement	Yes	No	No
Additional hardware	None	None	Hardware token

*Security level based on code validity windows and interception risk.

Security

HOTP, TOTP, and OTP offer different levels of security, with the key considerations being exposure time and transmission method.

TOTP generally offers stronger security than SMS or email codes, as codes are generated on device and have a short validity. If attackers somehow get your TOTP code, it becomes useless.

HOTP is built on a cryptographic foundation, providing solid security. However, because HOTP codes don’t expire on a timer, the potentially long validity windows could make stolen codes a vulnerability.

SMS and email codes are the least secure of the bunch. They travel over networks that can be intercepted or redirected, making them more vulnerable to SIM swap or phishing attacks..

Note: No OTP method is immune to social engineering attacks, such as phishing. It’s important to know how to spot phishing to properly defend yourself.

SMS/Email codes	TOTP	HOTP
Susceptible to interception due to active network requirements	Minimal time for attackers to exploit stolen codes	Long validity offers extended attack opportunities
Unencrypted platforms make codes easier to steal	Lower interception risk, as codes are generated on device	Solid security built on a cryptographic foundation

User experience

Setup complexity, time pressure, and reliability affect the user experience of the three methods.

TOTP is reliable and convenient. Setup is straightforward (often simply a QR code scan), and codes are generated even without an active network. However, the short code expiry creates time pressure, which can cause frustration for slower users or those managing multiple accounts.

HOTP is much more relaxed in comparison, with zero time constraints. Setup is much more complex, though, and may involve purchasing additional hardware.

SMS and email codes are the most effortless, with no setup, but they rely on network connectivity, which can cause delays during outages or disruptions.

SMS/Email codes	TOTP	HOTP
No setup required	Simple setup via QR code with a 2FA authenticator	Complex setup, may require additional hardware
Slight time pressure, with some codes expiring in hours	Time pressure can cause frustration	No time pressure
Wholly dependent on an active network for code delivery	Works reliably even without a network connection	Works offline, but sync issues may occur

Limitations

The unique limitations of each method will affect how and when you use them. SMS and email codes work with your existing devices, but their dependence on your network and internet connections can cause delays with code delivery that might even last longer than their validity.

TOTP does not require a network connection to generate codes, but it does require your smartphone to be time-synchronized with the server for your code to work. The best way to ensure this is to have your device’s clock automatically sync with the internet. So, when you’re travelling, the time sync remains in place.

With HOTP, generating new codes offline can be beneficial when network connectivity is poor. This is a double-edged sword, however. Regenerating codes without using them can cause your device to fall out of sync with the server, creating authentication failures. Also, the manual regeneration required with HOTP places a huge security onus on the user.

SMS/Email codes	TOTP	HOTP
Areas of poor network can cause significant delays in code delivery	Device time needs to be in sync with server time, even when travelling	Can go out of sync if too many codes are generated but not used

Which OTP method should you use?

The short answer is that TOTP is the best standard for most people, while HOTP serves specific offline needs. Both are superior to SMS.

While individual needs vary, TOTP appears to be the more balanced choice in most situations. The time-based nature provides an additional layer of security, and smartphone-enabled accessibility makes it a convenient and secure choice for the accounts you regularly access. But, for even stronger protection against phishing, hardware-based methods like FIDO2/passkeys go further than any OTP method.

Store passwords and generate OTPs securely

Managing passwords and TOTP authentication codes can be a hassle — constant app switching during logins reduces the already limited time you have to enter codes. Proton Pass is a secure password manager that reduces this friction with our integrated 2FA (TOTP) functionality. Access your passwords, 2FA codes, and more from one secure, encrypted vault.

What is TOTP? Everything you need to know about time-based one-time passwords

Kate Menzies — Tue, 26 May 2026 17:58:27 GMT

You’ve probably had to enter a six-digit code from an authenticator app when signing in online. That’s known as a time-based one-time password, or TOTP, and it’s an incredibly easy way to enhance the security of your online accounts.

Thanks to their quick 30 to 60-second expiry of these codes, they make it nearly impossible for cybercriminals to access your account even if they manage to steal your passwords. We’ll explore what TOTPs are, how they work, and how they compare with other authentication methods.

What is TOTP?

A TOTP is a type of one-time password (OTP) that generates temporary codes using time as a key ingredient. These codes change every 30 to 60 seconds, making it extremely difficult for cybercriminals to compromise. In the unlikely event they somehow discover your code, its short lifespan quickly makes it almost useless to an attacker.

TOTP is a two-factor authentication (2FA) method that adds an extra security layer to your username and password. It’s convenient to use — just generate the code from an authenticator app — and its time-based nature makes it very secure.

How does TOTP work?

To put it simply, TOTP works by sharing a secret key between the service you’re protecting and your TOTP app.

When you enable 2FA, you scan a QR code to share the secret key with your TOTP authenticator. TOTP apps are free, and common ones include Google Authenticator and Microsoft Authenticator. If you’re using a secure password manager, it might feature an integrated 2FA authenticator that generates TOTP codes. Proton Pass is one such password manager; it stores your passwords securely and generates your 2FA codes all in one app.

Once the initial setup is complete, the service you’re logging into and the authenticator app sync to independently calculate the same code at the same time using the secret key. When you log in, you’ll be prompted to enter a 2FA code. If the service’s code matches the one you enter, you’ll be logged in.

The differences between TOTP and other one-time passwords

TOTP is just one of several one-time password (OTP) methods. Here’s a quick overview of how TOTP compares against them. You can also find a more extensive guide on the difference between TOTPs, OTPs, and HOTPs.

TOTP vs OTP

OTP is an umbrella term for single-use passwords. TOTP is a type of OTP that uses a time-based model to generate OTP codes. All TOTPs are OTPs, but there are other OTP methods. These include SMS and email codes, and HOTP. Each method has different ways of generating and delivering your OTP code.

TOTP vs HOTP

HMAC-based one-time passwords (HOTPs) generate a new OTP code only when requested. This means that every code is valid until a new one is generated, which makes them more prone to compromise. TOTP codes automatically refresh after 30 to 60 seconds, so attackers have less time to use stolen codes.

TOTP vs SMS and email codes

SMS and email codes are delivered over cellular and internet networks, which makes them vulnerable to interception. If you’re using poorly secured or compromised networks, attackers could snoop on your activity and obtain your OTP codes. Comparatively, TOTP codes are generated on-device and not transmitted over any network, making them more secure.

The security benefits of TOTP

There are several security benefits that come with using TOTP as your preferred OTP method.

Time-limited codes: TOTP codes expire within 30 to 60 seconds before a new code is generated. This gives attackers next to no time to use stolen TOTP codes since expired codes can’t be reused.
Interception-proof: TOTP codes are generated on-device. They don’t get transmitted over networks where they could be intercepted due to poor network security.
Breach protection: If your password is exposed in a data breach, TOTP codes provide an additional barrier to unauthorized logins. Attackers cannot access your account without your authenticator app.
Works on any smartphone: TOTP works right from your smartphone — no need to purchase a hardware token. Just download an authenticator app onto your device, and you’re set.

TOTP offers excellent security, but it isn’t perfect. Losing your device could lock you out of accounts, so always save backup codes. Also, ensure your devices’ clocks automatically sync with the internet, as incorrect time settings are a common cause of TOTP failures.

Secure your accounts with TOTP

TOTP enhances your account security with time-based codes that are superior to other OTP methods. Managing multiple passwords and 2FA codes doesn’t have to be a hassle — just use Proton Pass, a password manager with an integrated TOTP authenticator.

Proton Pass combines password storage and generation with a 2FA authenticator, eliminating app switching when signing in and needing to download extra apps. It saves you precious storage space and makes signing in with 2FA seamless. Everything you store in Proton Pass, including the codes you generate, is protected by powerful end-to-end encryption.

Take login security to the next level — enable TOTP for your accounts and store all your passwords with Proton Pass today.

What is HOTP? A guide to HMAC-based one-time passwords

Ben Wolford — Tue, 26 May 2026 17:15:27 GMT

If you’ve ever used a hardware token to approve digital banking transactions or tapped on a YubiKey to generate a login code, you’ve used HMAC-based one-time password (HOTP) technology. To help you understand how you can use HOTP to protect your accounts, we’ll explore how HOTP works, its benefits and limitations, and compare it with other OTP methods.

What is HOTP?

HOTP stands for HMAC-based one-time password. It’s a two-factor authentication (2FA) method that generates single-use login codes on demand.

HMAC, or Hash-based Message Authentication Code, is a cryptographic technique that uses a secret key and a hashing function to produce a secure, tamper-resistant value. HOTP applies HMAC together with a counter to ensure that each authentication code is unique and can only be used once.

Because HOTP codes remain valid until used or replaced, they are well-suited for remote work and other environments where reliable time synchronization or constant connectivity isn’t possible.

How does HOTP work?

HOTP authentication is based on two shared components: a secret key and a counter. Both the user’s device and the authentication server store these values and use them to independently generate the same one-time code.

Setup: When a hardware token is set up, a secret key is shared between the device and the application server and stored securely on both sides.

Generating a code: The device uses a cryptographic hash function called HMAC to combine the secret key with the current counter value. The result is a short, unpredictable one-time password.

Authentication: When you enter the HOTP code, the server performs the same calculation using its own copy of the secret key and counter. If the codes match, access is granted.

The HOTP counter system explained

HOTP relies on a unique counter system shared between your device and the authentication server. Each time you generate a new code, the counter increments. After a successful login, the server updates its counter as well. As long as the device and server counters stay in sync, the codes will match and grant you access.

Think of HOTP as a book of numbered vouchers that you tear off and use in sequence. A used voucher can’t be reused, and you must use the next one. The HOTP counter system operates similarly.

HOTP authentication vs. other OTPs

HOTP vs. OTP

One-time passwords (OTP) is a broad term for the various single-use passwords we utilize for 2FA. HOTP is a specific type of OTP that relies on a counter-based system to generate its codes.

HOTP vs. TOTP

Time-based one-time passwords (TOTP) automatically generate a new code every 30 to 60 seconds. The most common example of TOTP is the codes generated by authenticator apps. HOTP, by contrast, generates a new code only when requested, using a counter rather than a timer.

This difference affects the security of each OTP method. The quick expiration of TOTP gives attackers a very small window of opportunity. Conversely, HOTP codes could remain valid for days and even weeks.

However, HOTP is more reliable in situations where devices have unreliable clocks. For example, equipment in remote locations with weak internet connections.

HOTP vs. SMS and email codes

OTP codes sent via SMS and email are susceptible to interception because they must travel across cellular and internet networks. HOTP generates codes on-device, making it more secure while providing consistent access even during network disruptions.

What are the benefits and limitations of HOTP?

The benefits of HOTP authentication

There are several advantages to using HOTP as your preferred OTP method:

Works offline: HOTP can operate offline, making it ideal for locations with restricted internet access.
No time pressure: HOTP codes don’t automatically expire, so you can take your time to enter the code.
Recognized algorithm: HOTP is defined by RFC 4226, which ensures compatibility across software providers and hardware tokens from various vendors.
Fewer dependencies: HOTP’s counter-based system doesn’t rely on accurate clocks or continuous connectivity, which can make it more predictable in certain environments.

The limitations of HOTP authentication

As with all technologies, HOTP comes with some important considerations:

Indefinite validity: HOTP codes can remain active indefinitely if no new codes are generated. This gives attackers more time to exploit stolen codes.
Counter synchronization: If you generate codes without using them, your device and server counters can fall out of sync, causing authentication failures.
Manual management: Since codes don’t automatically expire, you must remember to generate new codes after each use.

Take a step towards stronger password security

While HOTP may not offer the security benefit of automatic expiration or the convenience of SMS codes, its counter-based system offers unique advantages. It’s a proven 2FA system with reliable offline access, and the absence of time pressure might make it preferable for some.
To easily manage your passwords and 2FA codes in one encrypted location, consider using Proton Pass. Our secure password manager with an integrated 2FA authenticator keeps all your credentials and 2FA codes protected with full end-to-end encryption. Keeping your digital life secure and convenient has never been simpler.