What is a One-Time Password (OTP)?
Share
OTP stands for one-time password or one-time passcode. It is a dynamically generated set of numbers or letters meant to grant users one-time access to an application. Unlike passwords, an OTP is not static and changes every time the user attempts login. It is also sometimes referred to as a one-time PIN, one-time passcode, or one-time authorization code (OTAC).
OTPs can be sent to users via SMS, email, or mobile push notifications. Alternatively, OTP generators such as hardware keys and mobile authenticator apps can be used for authentication. One-time passcodes are often used as a secondary factor in a multi-factor authentication (MFA) flow.
Common OTP delivery methods
Here are the major OTP delivery methods in use today:
SMS / Text
SMS authentication lets users log in to applications by entering a code sent to their phone via text message. It verifies users with a possession-based factor (their mobile phone). SMS authentication is an improvement over just using static passwords since the passcode changes for every login attempt.
SMS authentication is convenient for users because it doesn’t require them to learn new behaviors or get new hardware. However, it is vulnerable to SIM swapping and man-in-the-middle (MITM) attacks where adversaries can intercept text messages and gain fraudulent account access.
Although SMS authentication is still widely used, it has been met with recent security objections. In 2016, NIST proposed that SMS be deprecated as an out-of-band second authentication factor.
Email OTP works like SMS authentication, except the users get the one-time code sent to their email account instead of their phone number. It verifies users with a possession-based factor (their email account).
Almost everyone has an email account and accesses it regularly, making email OTP very convenient to use. However, the security of email OTP is linked with the security of the email account. If attackers gain access to a victim’s email account after phishing or credential stuffing, they can use email OTPs to cause further damage.
Messaging apps
Over the past few years, websites have begun using messaging apps such as WhatsApp and WeChat for OTP authentication. Choosing whether to send one-time passcodes over SMS, email, or other messaging apps is often a function of two things:
Which method users are most comfortable with, and
Which method has the most reliable delivery rates.
Since messaging services like WhatsApp offer end-to-end encryption, they are better protected against MITM attacks. Messaging services can operate over both cellular and Wi-Fi, making them accessible even when users are on international roaming.
Hardware keys
In enterprise settings, OTP authentication is sometimes driven by dedicated hardware such as key fobs, smart cards, and Yubikeys. These devices generate OTPs based on a cryptographic key that is also stored on the server. The server and the hardware device synchronize based on the shared secret key and independently generate the same OTP to validate the user’s login attempt.
Cybercriminals would need physical access to the hardware key before doing any damage, which is very unlikely. This makes hardware keys a very secure form of OTP authentication. Using a U2F security key further reduces the attack surface since the OTP never leaves the token. However, hardware keys impose restrictions on users since they have to carry the key on their person at all times.
Authenticator apps
OTP generation can also be performed by software tokens. Unlike hard tokens like security keys, these are not separate physical entities that users must possess. Rather, they are built into authenticator applications like Google Authenticator, Microsoft Authenticator, and Authy.
Mobile authenticators can be used for both enterprise and consumer contexts. These apps also do not depend on Internet access or wireless carriers, making them usable in a wide variety of scenarios. Authenticator apps that support biometric authentication add a strong second factor and protect users even if their device gets stolen.
Authenticator software uses the TOTP algorithm to perform time-based OTP generation and validation. The next section covers TOTP in more detail.
What is HOTP and TOTP?
Before going into the specifics of HOTP and TOTP, it’s important to understand how OTP generation algorithms work in general. Two inputs are used to generate OTP codes:
A seed. This is a static secret key that is shared between the token and the server. It is created when a new account is established on the authentication server.
A moving factor. This is a component that changes every time a new OTP is requested. The main difference between HOTP and TOTP is how the moving factor is generated.
HOTP
The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Thus, HOTP stands for HMAC-based One-time Password. In HOTP, the moving factor is a counter that’s incremented every time a new OTP is requested.
This counter is stored on both the token and the server. The counter on the token increments by one when a new OTP is requested. The counter on the server increments by one when an OTP is successfully validated.
HOTP tends to be user friendly since it doesn’t increment until the user requests a new OTP. This means the user has ample time to enter the OTP. However, this also makes HOTP more susceptible to brute force attacks.
HOTP was documented and published by the Initiative for Open Authentication (OATH) as RFC 4226 back in 2005.
TOTP
TOTP stands for Time-based One-time Password. In TOTP, the moving factor is based on time rather than incremental counters. After a specified period of time called a timestep, which is usually 30 seconds, the OTP changes.
TOTP is generally more secure than HOTP and tough to crack with brute force attacks. However, the user has to input the passcode before it refreshes, which introduces the possibility of time-drift. To cope with this, the authenticating server must make it easy for users to input a new OTP if the previous one expires.
TOTP was published as RFC 6238 by the Internet Engineering Task Force (IETF) in 2011.
Also read: Passwordless Authentication 101
Benefits of using OTP
OTPs are a key component of the larger two-factor authentication (2FA) market, which is projected to grow to $44 billion by 2030. OTP adoption will continue to grow because they provide some key benefits for businesses and users.
Safer than just using passwords: OTPs are meant for one-time use, which makes them resistant against replay attacks where the attacker intercepts and records data (like a static password) to use later. Using one-time codes as a second factor also reduces risk if and when user passwords get stolen.
Primed for wide adoption: OTPs can be easily integrated into an application’s authentication flow. Users like one-time codes because they don’t need to be remembered and usually don’t require new hardware. Users are already familiar with common OTP delivery methods and don't need to learn new behaviors to use them.
Can be used for more than login: In addition to login, one-time passwords can be used as a factor in risk-based authentication. For example, a user can be asked for an OTP before they complete a high-value transaction on a banking app. Risk-based 2FA gives users an enhanced sense of security without impacting their overall experience.
Drawbacks of using OTP
There is no authentication silver bullet, and that includes one-time passcodes. Here are some risks to keep in mind while using OTPs:
Depends on delivery rates: OTPs sent to users using SMS, email, and other messaging apps depend on reliable delivery. Missed messages, delayed texts, and email OTPs going to spam folders can lead to a poor user experience and drop-off.
Uses shared secrets: The seeds used in OTP generation are shared secrets, which is never an ideal security practice. Shared secrets make the server an attractive target for attackers. If they steal the secrets, they can generate passcodes to fraudulently access user accounts.
Susceptible to some attacks: As covered earlier, OTPs can be phished regardless of the delivery method. SMS authentication is prone to SIM swapping and MITM attacks. Email OTP depends on the security of the email account. Even TOTPs from authenticator apps can be stolen by motivated attackers in phishing and social engineering attacks.
OTP authentication with Descope
Adding OTP authentication to your app while taking care of all the security nuances can be a time-consuming project for developers that are also busy building core app functionalities. Descope helps developers easily add OTP authentication to their apps with no-code workflows, SDKs, and APIs.
Sign up for Descope and add OTP authentication to your app with a few lines of code.