OATH Initiative for Open Authentication

Open, Strong Authentication for Everyone

OATH (Initiative for Open Authentication) is a global, vendor-neutral effort to define and promote open standards for strong authentication. Our work underpins widely deployed methods such as HOTP, TOTP, and OCRA, enabling secure access for billions of users and devices.

Explore the Standards Implementation Guides Certification

Why OATH matters today

Strong authentication is no longer optional. Enterprises, service providers, and device manufacturers must secure identities across cloud, on-premises, and hybrid environments while maintaining usability and avoiding vendor lock-in.

OATH’s mission is to:

  • Publish open, royalty-free specifications for one-time passwords and related mechanisms.
  • Promote interoperability between tokens, authenticators, and validation servers.
  • Provide guidance for large-scale, real-world deployments of strong and passwordless authentication.

Core OATH Standards

HOTP (RFC 4226)

HMAC-based One-Time Password algorithm. Counter-based OTP widely used in hardware tokens and software authenticators.

Read more about HOTP →

TOTP (RFC 6238)

Time-based One-Time Password algorithm. Time-synchronized OTP used by many popular authenticator apps and online services.

Read more about TOTP →

OCRA (RFC 6287)

OATH Challenge-Response Algorithm. A flexible framework for challenge/response authentication and transaction signing.

Read more about OCRA →

View all Standards & RFCs

Focus

OATH and Passwordless Authentication

OATH’s work on open OTP standards forms part of the foundation for many passwordless and multi-factor solutions deployed today. OATH focuses on:

  • Bridging legacy OTP deployments with modern, phishing-resistant authentication approaches.
  • Ensuring interoperability between devices, identity providers, and applications.
  • Providing implementation guidance so vendors and enterprises can deploy strong authentication safely and consistently.

🎥 Watch the OATH passwordless authentication talk

For Implementers

If you build authentication products, platforms, or services:

  • Start with our reference architecture and RFCs.
  • Use OATH certification profiles to validate interoperability.
  • Contribute implementation experience and new requirements back into the community through technical working groups.

Implementers & Ecosystem →

For Enterprises

If you deploy authentication at scale:

  • Choose products that align with OATH standards and certification profiles.
  • Use our best-practice guides to plan migrations from passwords and proprietary OTP.
  • Engage with OATH to share deployment experiences and requirements.

Enterprise Resources →

Stay Informed

Follow the evolution of open, interoperable strong authentication: