one-time password (OTP)

A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session.

An OTP is more secure than a static password, especially a user-created password, which can be weak and/or reused across multiple accounts. OTPs may replace authentication login information or may be used in addition to it in order to add another layer of security.

One-time password examples

OTP security tokens are microprocessor-based smart cards or pocket-size key fobs that produce a numeric or alphanumeric code to authenticate access to the system or transaction. This secret code changes every 30 or 60 seconds, depending on how the token is configured. Mobile device apps, such as Google Authenticator, rely on the token device and PIN to generate the one-time password for two-step verification. OTP security tokens can be implemented using hardware, software or on demand. Unlike traditional passwords that remain static or expire every 30 to 60 days, the one-time password is used for one transaction or login session.

How to get a one-time password

When an unauthenticated user attempts to access a system or perform a transaction on a device, an authentication manager on the network server generates a number or shared secret, using one-time password algorithms. The same number and algorithm are used by the security token on the smart card or device to match and validate the one-time password and user.

Many companies use Short Message Service (SMS) to provide a temporary passcode via text for a second authentication factor. The temporary passcode is obtained out of band through cellphone communications after the user enters his username and password on networked information systems and transaction-oriented web applications.

For two-factor authentication (2FA), the user enters his user ID, traditional password and temporary passcode to access the account or system.

How a one-time password works

In OTP-based authentication methods, the user's OTP app and the authentication server rely on shared secrets. Values for one-time passwords are generated using the Hashed Message Authentication Code (HMAC) algorithm and a moving factor, such as time-based information (TOTP) or an event counter (HOTP). The OTP values have minute or second timestamps for greater security. The one-time password can be delivered to a user through several channels, including an SMS-based text message, an email or a dedicated application on the endpoint.

Security professionals have long been concerned that SMS message spoofing and man-in-the-middle (MITM) attacks can be used to break 2FA systems that rely on one-time passwords. However, the U.S. National Institute of Standards and Technology (NIST) announced plans to deprecate the use of SMS for 2FA and one-time passwords, as the method is vulnerable to an assortment of attacks that could compromise those passwords and codes. As a result, enterprises considering deployment of one-time passwords should explore other delivery methods besides SMS.

Benefits of a one-time password

The one-time password avoids common pitfalls that IT administrators and security managers face with password security. They do not have to worry about composition rules, known-bad and weak passwords, sharing of credentials or reuse of the same password on multiple accounts and systems. Another advantage of one-time passwords is that they become invalid in minutes, which prevents attackers from obtaining the secret codes and reusing them.

This was last updated in November 2018

Continue Reading About one-time password (OTP)

Dig Deeper on Password management and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you use one-time passwords in your organization?
As an IT expert, I can never overemphasize the importance of safe passwords. While a combination of numbers and letters are essential, passwords must be changed on a frequent and periodic basis. With foreign intrusion and digital terrorism soaring at alarming rates, one time passwords are crucial for existing and new organizations. Whether via manual or recurring methods, one time passwords can truly protect your most intricate and detailed information.
My organization did this years ago, but actually moved away from it. I don't know of all of the reasons, but I can say that those little fob things were definitely easy to lose.
These seemed popular awhile ago, especially as one-time credit cards for use online. As paypal becomes more popular, I see less of them. Two-factor authentication and biometric seem more reasonable as next steps.
For the time being, two-step authentication seems like the best approach. A PITA when time is short, but worth the effort. Looking forward, biometrics seem like a more likely future option, but only until someone figures out how to spoof it. 
what is otp number