I am using HOTP to generate OTP for second factor authentication. I am using event-based generation of OTP and providing a window of 10 iterations should there be mismatch in the counter of client and server.
However, I am being asked that what happens if an OTP is re-generated from past at any point of time.
Since the OTP is a 6 digit number, there could be only 999999 combinations available for a user. Hence, an OTP cannot be unique in the lifetime and it will be regenerated at some point. Could there be a pattern when a particular OTP repeats?
Also, if an OTP is regenerated within a window size of 10, it could be worse as it would be vulnerable to replay attack.
Kindly guide me on this.
No, there should not be a repeating predictable pattern if you don’t know the secret key by using randomness (it would be an important discovery and flaw in the algorithm to be otherwise).
Although you can tolerate a windows size of 10, only tolerate that going forward. Never accept a token that is less than the last confirmed counter, otherwise you are leaving open a replay attack.
HOTP, TOTP or anything else isn’t immune to all forms of attack, of course, so you need a multi-layered approach to your security that is realistic about the vectors of attack vs. the cost of defending.
A more in depth discussion is probably best had here. In this answer I’m trying to stick the implementation issues.