What best describes a counter-based authentication system?

Counter-based authentication relies on generating a new one-time password each time by combining a shared secret with a moving counter. The token stores the secret and a counter; with each login, the counter increments and a cryptographic function (typically an HMAC) uses the secret and counter to produce a one-time password. The server does the same calculation and validates the code, ensuring it can only be used once and is in sync with the token. This explains why the correct description is that the system creates one-time passwords derived from a secret key and a counter. The other options don’t fit as well: tokens that never expire describe static credentials, password reuse is insecure and not how counter-based systems work, and biometrics refer to a different authentication factor entirely.