diff --git a/README.md b/README.md
index 84b101ff36af5ea7a51c374446d155aab90e7ece..6172775352bfe87fc6d1850c8efad74e4a12ec70 100644
--- a/README.md
+++ b/README.md
@@ -110,6 +110,17 @@ method. The comment is a free-form string set by the user to tell the
 various credentials apart.
 
 
+## OTP implementation
+
+The authentication server uses a very simple implementation of
+time-based OTP (TOTP), supporting a single secret per user and without
+any fancy features such as emergency tokens etc. The reason for this
+is that TOTP authentication requires just plain read-only access to
+the user database, while counter-based authentication with proper
+token revocation is a read-write, locked operation which is more
+difficult to perform on a LDAP backend.
+
+
 # Usage
 
 ## Client authentication