The One-time Password (OTP) Ultimate Guide

If your organization still relies on usernames and passwords for user logins, compromised credentials leave you vulnerable to fraudulent attacks. Supplementing usernames and passwords with an additional authentication method like a one-time password (OTP) is a great way to strengthen your security posture and avoid data breaches.

OTP is an example of multi-factor authentication (MFA). In turn, MFA is a practice that requires users to verify their identity by providing at least two pieces of evidence from different sources. Not only is MFA extremely popular, but it is also highly effective. As Microsoft explains, MFA can “prevent 99.9 percent of attacks on your accounts.”

While MFA is applicable for a wide range of uses, it has proven invaluable in scenarios where users access sensitive data and conduct high-value transactions. Similarly, MFA is very helpful when people access online accounts from risky locations like airports and unknown networks.

What is a One-time Password (OTP)?

The acronym “OTP” stands for both “one-time password” and “one-time passcode.” An OTP is defined as an automatically generated sequence of characters that is only valid for a single login session or transaction. Since OTPs can only be used one time, they protect against the dangers of compromised credentials - such as lost or stolen passwords. 

To bring it back to MFA, OTPs are used as a second authentication factor in addition to user names and passwords. In MFA practices, forms of proof include something users know, something they have, or something they are. One-time passwords fall into the “something they have” category because most OTPs can only be accessed directly from user devices, such as smartphones.

OTP authentication works by sending a one-time code comprised of letters and/or numbers to a second MFA source used in addition to a username and password. Common types of OTPs include SMS and voice messages, as well as email verification. OTPs can also be sent as push notifications to an enterprise’s custom mobile app or a third-party authenticator app can be used, like Google Authenticator. OTPs are generated using algorithms and time-sensitive variables. Once the OTP is created and sent as an additional MFA source, the code is copied to the authentication window or other form that verifies the code with the authentication server. The user is then allowed access to their account.

Depending on your MFA policies, a new one-time password can be created each time a user requests access to your digital property if needed.

Here are some examples of how a user might receive an OTP code:

Once the OTP code is generated, the user copies the code or it is automatically transmitted to an authentication window or other form that verifies the code with the authentication server to ensure there is a match.

The user then receives an “Authenticated” message and is able to access their account and associated resources if the OTP is the final authentication factor required.

After the OTP is used or the timeframe for use has expired, the code is no longer valid and cannot be reused.

Time-based one-time password (TOTP) uses time as a moving factor, and passwords typically expire within 30-240 seconds. The temporary password is generated by an algorithm that uses the current time of day as one of its factors.

Enterprises need to make sure users are able to receive their passwords before the time limit expires, so TOTPs can have limited use in areas without high-speed broadband or reliable internet connections.

HMAC stands for hash-based message authentication code. HMAC-based one-time password (HOTP) is event-based and uses a counter as the moving factor instead of time, with seed values and hashes used to generate passwords. HOTPs were introduced and used before TOTPs.

The HOTP algorithm is based on an increasing counter value (hash) and a static symmetric key (seed) known only to the token and the validation service. Because HOTPs use counters instead of time, they are available for a longer period of time. The HOTP is valid until another one is actively requested and validated by the authentication server.

Depending on your MFA policies and user base, there are several OTP delivery methods available.

1. SMS
2. Voice
3. Email
4. Messaging Apps
5. Hardware Keys
6. Authenticator Apps

SMS OTP

With SMS OTP, a unique and time-sensitive code is sent to a user's mobile device via a text message. SMS OTP is extremely popular due to its speed and convenience. 

Voice OTP

In voice OTP verification, a code is delivered to the user through an automated voice message over a phone call. Voice OTP is considered secure since the code is delivered audibly directly to a user’s number. 

Email OTP

Email OTPs are sent directly to user’s inbox. While email OTP adds an extra layer of security since users must login to their inbox, some question this MFA method since emails aren’t tied to a specific device. 

Messaging Apps

Messenger app OTPs are sent via popular messaging apps like Telegram, WhatsApp, and Viber. Users enjoy the added security of platforms like WhatsApp because they automatically encrypt messages. 

Hardware Keys

Hardware key OTPs use physical devices to generate one-time codes with the push of a button. Certain organizations prefer the use of hardware keys since they operate offline and are inaccessible to fraudsters. 

Authenticator Apps

With authenticator app OTPs, codes are generated by mobile applications like Google Authenticator. Since authenticator apps work offline and entirely within user’s devices, they are considered extremely secure.

One-time passcodes offer a secure and convenient way to implement MFA in situations where sensitive data is accessed and exchanged.

MFA prevents bad actors from using compromised credentials because they cannot provide the second and/or third authentication factor. Since the OTP is sent to the user’s device, as long as the user still has possession of their devices, the hacker won’t receive the OTP code and authentication will fail. 

OTP can be used for a variety of applications and services. To see how a one-time password is used to verify a user’s identity, watch this short video on payment flow.

Since MFA is especially useful for securing sensitive data and high-value transactions, OTPs are particularly valuable in industries where privacy and security are of utmost importance. 

Healthcare: OTP is widely used among healthcare organizations for employee identity access management (IAM). It is also used to ensure doctors and hospitals comply with the Health Insurance Portability and Accountability Act (HIPAA). 

E-commerce: OTP authentication helps e-commerce companies provide secure and convenient shopping experiences for their customers. MFA in e-commerce protects sensitive financial information and user accounts. 

Government: Agencies like the Internal Revenue Service (IRS) use OTP to protect online portals for secure citizen logins. Government organizations also implement OTP to restrict access to important databases. 

Finance: Due to the sensitive nature of the finance and banking industry, OTP plays a critical role in securing user accounts. OTP also prevents financial fraud by forcing users to validate transactions with MFA.  

Information Technology: Fortune 100 companies in the IT industry like Google and Microsoft rely on OTP authentication. Whether it be employers or customers, OTP is an essential cybersecurity practice in the IT space.

A one-time password expires quickly and cannot be reused, making it more secure than traditional passwords that users may reuse for multiple applications. Benefits include: