Project Url: petrs/hotp_via_ndef
Introduction: Implementation of HMAC-based One Time Passwords via URL tag of NDEF applet
More: Author   ReportBugs   

JavaCard HMAC-based One Time Password generator which delivers new code via URL tag of NDEF every time the card is put close to NFC-enabled phone.

As a result, phone will display prompt to visit URL with current OTP code. No installation of phone software is required. The server side needs to parse OTP code properly from URL request.


More detailed instructions with screenshots are available on the project wiki.

Setting URL

Using nfc tag writing application (like this one) write URL to which you would like to be redirected , for example

Code will be appended to the URL, like this:

Check the address by tapping your card to NFC-enabled phone (simple counter is used to generate codes until you set the secret)

Setting HOTP secret

The card accepts otpauth URLs in this format:


(Google Authenticator HOTP URL without counter parameter)

Write with your favorite NFC tag writing application. Counter is always set to 0 when new secret is set.


The project is based on:

  1. NDEF applet by I. Albrech (NDEF applet)
About Me
GitHub: Trinea
Facebook: Dev Tools