What Is a One-Time Password (OTP)?

One-time passwords (OTPs) are used to verify a person’s identity when they log into an app or service. Unlike static passwords, OTPs are single use and generally only valid for a limited time. This enhances login security both by adding additional steps to the authentication and authorization process, as well as generating credentials that are difficult to guess, crack or steal.

There are various methods of delivering one-time passwords, from PIN codes sent to a trusted email address to smartphone apps that generate a random six digit code every 30 seconds. Although most OTPs expire after a short time, there are exceptions to this rule, such as one-time-use recovery codes generated when you set up a new account, which allow you to reset your password in emergencies. To prevent abuse, codes such as these must be kept in a secure, secret location.

One-time passwords are commonly used to confirm user identities through two-factor or multi-factor authentication. After entering their username and password, the account owner is prompted to enter a single-use passcode, which requires access to specific device or account, thus reducing the risk of account takeovers and login fraud. Different methods for generating or transmitting OTPs include:

Because the transmission of OTPs is vulnerable to attack methods like SIM spoofing for text messages or packet sniffing in the case of emails, most services currently rely on smartphone apps to generate OTPs. App and server generate the same six-digit OTP independently of each other based on a shared key that was entered into the app by scanning a QR code. If the OTP entered by the user matches the one calculated by the server, the login is approved.

On a technical level, there are two approaches to generating one-time passwords, which are both based on the HMAC algorithm for encryption. Time-based one-time passwords (TOTP) use a combination of an initial key and the current time to generate random one-time passwords. To prevent the app from cycling through the same codes every 24 hours, this method uses Unix time, which counts the number of seconds that have passed since January 1st 1970.

HMAC-based one-time passwords (HOTP) follow the same principle, but in this case the random generation is based on the secret key as well as an incrementing counter that is agreed upon during initialization. To ensure that the server and the user’s end device iterate at the same pace, a protocol for resynchronization is commonly used.

The main advantage of OTPs is the added security they offer. By adding an extra step to the sign-in process, one-time passwords significantly reduce the risk of fraudulent logins or account takeovers. Unlike security questions, randomly generated codes are not based on personal information and therefore impossible to obtain through phishing, social engineering or online stalking. Attackers can try to guess OTPs, but the limited timeframe makes this unlikely to succeed.

Advantages of one-time passwords:

Because OTPs add extra steps to the login process, some users see them as an annoying barrier. Furthermore, persons with limited technical experience may need assistance during the initial setup and the first few sign-ins with this method. Requiring a one-time password can also lead to legitimate users being temporarily locked out, for example if they forget their phone at home.

Disadvantages of one-time passwords:

Although one-time passwords make logging in significantly safer, there are some attack vectors hackers can exploit to break through this system. There are two approaches adversaries could take: Firstly, an attacker could try bypass the login process by hijacking an active session. For example, this could be achieved by stealing session cookies. To guard against session hijacking, many services prompt users to confirm their identity in regular intervals as well as before important changes to their account (such as changing their password).

Secondly, cybercriminals can attempt to trick the account owner into entering the one-time password on their behalf. In a man-in-the-middle attack, hackers create a fake login page that the user enters from a phishing email or malicious ad. When the user enters their credentials, the site feeds the information into the actual service and mirrors the OTP prompt back to them. If the user enters the OTP for the attacker, they log in successfully and take over the account. The limited timeframe makes this challenging, but not impossible.

Highlighting potential weaknesses in the OTP model should not discourage you from using OTPs. The advantages of enhanced login security clearly outweigh the downsides and minor risks. However, it is important to stay mindful of the fact that no technological safeguard offers total security. There is no safety measure you can implement that could replace basic foundations of cybersecurity such as educating your users on digital risks or following best practices like the principle of least privilege.