Passport strategy for two-factor authentication using a HOTP value.

This module lets you authenticate using a HOTP value in your Node.js applications. By plugging into Passport, HOTP two-factor authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express. HOTP values can be generated by hardware devices or software applications, including Google Authenticator.

Note that in contrast to most Passport strategies, HOTP authentication requires that a user already be authenticated using an initial factor. Requirements regarding when to require a second factor are a matter of application-level policy, and outside the scope of both Passport and this strategy.


$ npm install passport-hotp


Configure Strategy

The HOTP authentication strategy authenticates a user using a HOTP value generated by a hardware device or software application (known as a token). The strategy requires a setup callback and a resync callback.

The setup callback accepts a previously authenticated user and calls done providing a key and counter used to verify the HOTP value. Authentication fails if the value is not verified.

After successful authentication, the resync callback is invoked to synchronize the counter values on the server and on the token.

passport.use(new HotpStrategy(
  function(user, done) {
    HotpKey.findOne({ userId: }, function (err, key) {
      if (err) { return done(err); }
      return done(null, key.key, key.counter);
  function(user, key, counter, delta, done) {
    HotpKey.update(, { key: key, counter: counter }, function (err, key) {
      if (err) { return done(err); }
      return done();

Authenticate Requests

Use passport.authenticate(), specifying the 'hotp' strategy, to authenticate requests.

For example, as route middleware in an Express application:'/verify-otp', 
  passport.authenticate('hotp', { failureRedirect: '/verify-otp' }),
  function(req, res) {
    req.session.authFactors = [ 'hotp' ];


For a complete, working example, refer to the two-factor example.


$ npm install
$ make test

Build Status



The MIT License

Copyright (c) 2013 Jared Hanson <>