What is a One-Time Password (OTP)?

What is an OTP?

Companies know that compromised credentials can be used to execute fraudulent online attacks and data breaches. Supplementing a user’s username and password credentials with an additional authentication factor (AKA multi-factor authentication) can be done through the use of a one-time password. 

One-time passwords are often referred to by their abbreviation OTP and are sometimes also called OTP codes. They can be used to replace authentication login information, or used in addition to it for an added level of verification and security. These passwords usually consist of an alphanumeric code (letters and numbers) and are generated for a single login session. Once you’ve logged in with a one-time password, it expires and cannot be used for the next login session.

Password-based two-factor authentication with OTP (and what security it provides) is a common requirement for businesses moving to the cloud. One-time passwords are often used for two-factor authentication in areas, such as online banking, but are now increasingly being used by companies across many sectors. In the first step, the user enters their usual login credentials. Then they generate a dynamic one-time password, which is also required for OTP authentication, using a tool such as a security token. The username and password are both required to log in, but there’s an extra step. Before you can successfully sign in, you’ll need the one-time password that was generated for you. This additional step ensures much greater security for users.

Not every OTP is created equal and there are a few different types available to suit the needs of your business.

Types of One-Time Passwords

Time-based One-time Password (TOTP)

TOTP uses time as a moving factor, and passwords typically expire within 30-240 seconds. These temporary OTPs are generated by an algorithm that utilizes the current time of day as one of its factors and must be used before the time limit expires, making high-speed broadband and reliable internet connections necessary for TOTP’s use.

HMAC-based One-time Password (HOTP)

HMAC (Hash-based Message Authentication Code) is a common algorithm used to generate OTPs. Rather than using a time-based counter as the moving factor for its used HOTPs, this algorithm uses an increasing counter value and a static key known only to the user and the authentication server. This means that OTPs can be generated for longer periods of time, as well as several times per day if desired by the user. 

How Does an OTP Work?

For a one-time password to work, the user and the system must know what the OTP is, and this can be achieved in one of two ways. Sometimes, password lists are used, which are ready-made lists of passwords known to the user and the system. This approach, however, does have some security issues. 

Instead, providers are increasingly switching over to dynamically generated OTPs for enhanced security. Dynamic one-time passwords are widely generated by OTP tokens, and these passwords are often entered together with additional authentication factors like PINs. To generate a dynamic password, a special algorithm is used. There are three different algorithm options:

Time-based

With time-based authentication, the server and the security token create synchronized passwords by using the same algorithm. This type of one-time password (TOTP) is therefore valid for a precisely defined time interval, usually 1 to 15 minutes.

Challenge-response based

The challenge-response-based method sees the server specify a request (challenge), which the client must answer (response). The client will receive a certain value from the server which is used to calculate what the OTP is before it is checked by the server. 

Event-based

Event-based OTPs depend on a physical action performed by the user shortly before the password is required. It is calculated using a token and its algorithm and is calculated based on the previous password so that it can be validated by the server.

The Benefits of One-Time Passwords

One-time passwords (OTPs) are more secure than regular passwords because they expire quickly and cannot be reused. This enhanced security offers many benefits to users and companies. 

Makes Passwords Difficult to Guess Through Random OTP Generation

Using one-time passwords to secure account access ensures that provided passwords become invalid within a few seconds, preventing hackers from retrieving them and reusing them. Hackers will have a very hard time guessing one-time passwords. Even with advanced automated password cracking tools, the additional constraints of TOTP and HOTP make cracking the code even more difficult.

Reduced Risk When Passwords are Compromised

What is OTP's primary benefit? User security. Users without strong passwords often recycle the same credentials across different accounts —if these credentials are leaked or otherwise compromised, stolen data and fraud become significant threats to the user. OTP usage helps to prevent such breaches, even if an attacker has obtained a valid set of login credentials. A hacker won't be able to gain access to a user's account if MFA through an OTP is required. 

Reduces Password Fatigue

Password fatigue is common as users now need to remember an array of passwords for their many accounts —and using the same password for multiple accounts is a dangerous solution. Because OTPs are automatically generated and only valid for one-time use, they won't require the user to create a password or remember what their password is. 

Reduces IT Staff Support for Password Resets & Security

Because OTPs are single-use, IT help desks will face far fewer support requests regarding users who have forgotten what their password is or fixing passwords that have been stolen or need resetting. One-time passwords also help avoid common password security problems faced by IT staff. With OTP, password composition rules, weak passwords, sharing of credentials, and reuse of the same password on multiple accounts will no longer be an issue. 

Easy Adoption

One-time passwords are extremely easy for organizations to integrate into their preexisting authentication strategies. Phones, tokens, and other necessary technologies are widely accessible for security teams and their employees to use, and OTP services provided by trusted platforms are simple to begin using right away.

When Should One-Time Passwords (OTPs) be Used?

It’s recommended that all online services and websites that involve highly sensitive and important data should utilize one-time passwords for enhanced security. According to Microsoft, MFA can “prevent 99.9 percent of attacks on your accounts,” making OTPs a great option for preventing compromised login credentials. Examples of services that widely use OTPs include:

• Online banking and other financial services (online stock portfolios or cryptocurrency exchanges)
• Confidential channels of communication
• Websites or databases containing sensitive company data

It’s not necessary to utilize OTPs for every website, but the additional layer of security they provide is influencing more websites to adopt the practice. If you want to keep your users’ data safe, OTP can be a great option. 

Whether or not the service you are utilizing uses one-time passwords (OTPs), you should always be sure to use secure passwords for your accounts. Cybercrime is steadily increasing, and online security awareness is more important than ever!

Authenticate and Verify Users From One API Platform with Unifonic

Unifonic’s customer engagement platform allows you to delight your customers with remarkable omnichannel experiences. With Unifonic’s account authentication and verification API, you can provide a secure authentication service with OTP and 2FA through SMS, voice, messaging apps, and mobile push notifications. Now that you know exactly what an OTP is and how they work, you’re ready to start reaping the benefits. 

Prevent bots and compromised accounts with login verification, to ensure your user’s data stays secure. Our authentication services are easily integrated and provide global coverage with our best-in-class API. Ready to level up your cyber security game with one-time passwords? Talk to an expert and request your free demo today.