What is a One-Time Password (OTP)?
A one-time password or passcode (OTP) is a string of characters or numbers that authenticates a user for a single login attempt or transaction. One-time passwords are created by an algorithm, that generates a unique value for each OTP by factoring in contextual information, like time-based data or previous login events.
Tech support teams typically administer OTPs to people who’ve forgotten their login credentials to an account or website, or when the resource in question requires additional protection from unwanted access attempts. OTPs are also typically safer than other access methods, as they add a second layer of authentication that an unverified user will need to pass before they can access an account.
When authenticating users, companies have to keep three independent factors to keep in mind:
- Knowledge. Things the user knows, like a password, PIN, or security question answer.
- Possession. Things the user has, such as a token, credit card, or phone.
- Biometric. Things that identify the user uniquely, like fingerprints or behavioural data.
In addition to passwords, security teams often distribute possession factors like OTPs using tokens and phone notifications—things the user likely already has.
How do One-Time Passwords (OTPs) work, and what are their benefits ?
Now that you know what OTPs are, let’s examine how they keep businesses secure.
- Resistance to replay attacks: OTP authentication provides distinct advantages over using static passwords alone. Unlike traditional passwords, OTPs aren’t vulnerable to replay attacks—where a hacker intercepts a transmission of data (like a user submitting their password), records it, and uses it to gain access to the system or account themselves. When a user gains access to their account using an OTP, the code becomes invalid, and therefore can’t be repurposed by attackers.
- Difficult to guess: OTPs are often generated with algorithms that make use of randomness. This makes it difficult for attackers to successfully guess and use them. OTPs may be valid only for short periods of time, require the user to have knowledge of a previous OTP, or provide the user with a challenge (e.g., “please enter the second and fifth number”). All of these measures further reduce an environment’s attack surface when compared to password-only authentication.
- Reduced risk when passwords are compromised: Users that don’t adopt strong security practices tend to recycle the same credentials across different accounts. If these credentials are leaked or otherwise fall into the wrong hands, stolen data and fraud are significant threats to the user on every front. OTP security helps to prevent access breaches, even if an attacker has obtained a valid set of login credentials.
- Easy adoption: One-time passcodes are also easy for organisations to integrate into their authentication strategies. While the cryptic nature of these codes makes them difficult for people to memorise, phones, tokens, and other technologies are widely accessible for security teams to use and distribute to their employees.
What types of OTPs are there?
OTP authentication is possible thanks to tokens. There are a few different types that you’ll come across.
Hard tokens (as in hardware) are physical devices that transmit OTPs, helping users gain access to accounts and other resources. Hard tokens broadly include:
- Connected tokens: Users connect these tokens into the system or device they’re trying to access. Smart cards and USB drives are inserted into a device’s smart card reader and USB port, respectively.
- Disconnected tokens: The most frequently used token for multi-factor authentication (MFA). While users don’t have to physically insert these tokens, disconnected tokens typically generate OTPs for users to enter. Pocket-size key fobs, keyless entry systems, mobile phones, and banking security devices are some examples of this in action.
- Contactless tokens: These tokens transmit authentication data to a system, which analyses the information and determines if the user has access rights. Bluetooth tokens are an example of contactless transmission, with no need for physical connections or manual input.
Soft tokens (as in software) aren’t physical items that we possess. Rather, they exist as software on a device like a laptop or mobile phone. Soft token authentication usually takes the form of an app that sends push notifications or SMS messages for the user to respond to and verify their identity.
All of these methods follow the same basic process: the user sends authentication data to a system, the system verifies if the information is correct, and, if so, grants the user authorised access. It’s the same idea as using a password, but with an OTP the authentication data doesn’t travel or leak beyond the user and target system.
Which authentication methods are the best?
Not all methods are created equal. Implementing any form of MFA marks an improvement over using passwords alone, but each authentication factor offers different degrees of protection. We’ve got some recommendations that’ll help you avoid vulnerabilities.
SMS authentication might be more convenient, but is less secure
We know from our day-to-day lives just how easy it is to communicate through SMS. It makes sense, then, that many companies and service providers have implemented SMS OTP as a second form of identity verification.
Unfortunately, SMS OTP is open to several lines of attack, including:
- SIM swapping and hacking: Your SIM card tells your phone which carrier to connect to, and what phone number to connect with. In a SIM swap attack, a threat actor convinces your carrier to switch your number to a SIM that they own. As a result, they can access all the SMS OTP messages synced to your accounts.
- Account takeover: Many wireless providers let users view text messages within their web portal. If your online account for the web portal is protected only by a weak or common password, an attacker can breach this account and access any SMS OTP messages.
- Lost and synced devices: In theory, losing your phone means you shouldn’t be able to receive SMS OTP messages. However, we can now sync messages between different devices, allowing us to authenticate via SMS OTP and access accounts even without the phone. Forwarding sensitive messages like this isn’t a strong security practice—especially not when your email may have a guessable password.
- Phishing: In a social engineering attack, a threat actor impersonating an employee from a trustworthy service deceives you into handing over your account credentials, and your SMS OTP. Phishing attacks hinge on hackers exploiting users’ emotions or lack of knowledge, and can result in SMS OTPs leaking in the same way as a password.
As more companies adapt to remote work, workforces are increasingly using their mobile devices to access workplace applications. Check out our Businesses @ Work (from Home) report for more insights on how this is affecting security practices.
OTP security tokens have their ups and downs
Hard tokens, like RSA SecureID, are a definite upgrade over SMS-based OTPs—relying on something the user has in their possession makes them less exploitable than knowledge-based authentication. What’s more, an OTP device such as Universal 2nd Factor (U2F) authentication security keys use asymmetric encryption algorithms to ensure that the OTP never leaves the token, effectively meaning it can’t be leaked.
However, the tangible nature of hard tokens also works against them. Users need to carry around another device, which can get lost, damaged, or stolen. This makes OTP tokens challenging for IT to maintain, particularly in large organisations, and can compromise security when in the wrong hands.
Additionally, tokens that must physically connect with a device aren’t always accessible. USB drives like U2F keys, for instance, aren’t a practical solution for securing mobile devices, which don’t have USB ports.
Authenticator apps are a strong alternative
- Mobile authenticators like Okta Verify, Authy, and Google Authenticator verify users by sending OTPs and push notifications to the user’s app. Authentication apps are more secure than the above methods for a number of reasons:
- Mobile OTPs don’t depend on internet access, your location, or the security of your wireless carrier. OTP and push notifications are tied to your device, rather than your number, and they generally work without network service or data.
- Mobile OTP is typically a free feature built into many authenticator apps, meaning it’s easy to use in enterprise and individual contexts.
- Push notifications and mobile OTP codes expire quickly, reducing the risk of exploitation as compared to SMS OTP.
- Some authenticator apps support biometrics such as face and fingerprint identification. This offers a stronger layer of protection—even if your phone is stolen, no one else but you can accept push notifications to the device.
WebAuthn protects even more devices
WebAuthn is a browser-based API that uses registered devices (desktop or mobile) as authentication factors. Biometric authenticators built into devices (e.g., Windows Hello, Fingerprint on Android, Touch ID on iOS) all enable WebAuthn, as can portable devices such as Yubikey 5Ci.
WebAuthn provides some unique benefits:
- Thanks to public key cryptology, it effectively shields users from phishing attacks.
- Integrating with users’ devices and biometrics creates quick and easy login experiences.
- Google Chrome, Microsoft Edge, and Firefox all pair with biometric devices to enable WebAuthn, making it accessible.
Ultimately, we advise implementing mobile app authenticators and WebAuthn, while using other OTP methods as backups.
There are many different authentication options to keep your accounts secure. To learn how they compare, check out our factor assurance datasheet.