Please be aware of the difference between TOTP and HOTP. Visit the following site for an introduction:  https://www.onelogin.com/learn/otp-totp-hotp.

Using Google or the Microsoft authenticator:

Note that if you want to support these authenticators you will be limited in the configuration of the TOTP or HOTP code. Both authenticators have build-in restrictions and there are actions available in this component to support these. These action have the suffix "_ForAutenticators". 

Enrollment:

These steps are the same for both a TOTP and an HOTP configuration. The only difference with HOTP is that you need to provide a counter as seed. 

In all cases you will need to follow these steps;

1. Generate a secret for the user.
   • Use the GenerateSecret action for this.
2. Store this secret for future validation of the OTP codes.
3. In case of HOTP.
   • Generate a token.
   • Store this token for future validation of the OTP codes.
4. If needed, create and OTP Uri that can be converted into a QR so that the OTP can be stored in an authenticator.
   1. Use the GenerateOTPUri action for this.

Validation:

To validate the OTP code you must do the following;

1. Receive the current OTP code visible in the authenticator via a Form (or something similar).
2. Retrieve the stored secret of the user.
3. In case of HOTP: Retrieve the stored token of the user.
4. Use the TOPT_Validate or HOTP_Validate to verify the provided OTP code
5. Perform the correct action based on the output

If you can any questions please check the implementation of the Demo first. Please note that this will not show you how to store the secret or token since that is per-application design choice.