How is a one-time password generated?
- For OTPs valid only for a short period of time, generation is based on time-synchronization between the authentication server and the client providing the password.
- For OTPs that are to be used in a predefined order, a mathematical algorithm is used to generate a new password based on the previous password.
- For random OTPs, a mathematical algorithm is used where the new password is based on a challenge. A random number is chosen by the authentication server.
Receiving the generated OTP
SMS is the commonest technology used for the delivery of OTPs . This is particularly because text messaging is available on almost all mobile handsets and it has a great potential to reach mass numbers of clients at a low total cost to implement. This however requires you to have a connection with a mobile network, which might corrupt the security of the system.
Via smartphones, a one-time password can also be delivered directly through mobile apps, or within a service’s existing app. These systems do not share the same security vulnerabilities as SMS, and do not necessarily require a connection to a mobile network to use, as they are internet-based.
How OTPs work
In order for a user to successfully log into a system that utilizes OTPs, the following sequence of events would occur:
- The user logs into the system with a user name and password.
- The system verifies that the password matches.
- The system then sends the user a request for the OTP on his phone number by SMS, email or voice call.
- The User types in the current OTP before the device cycles to a new OTP.
- The system verifies OTP matches with the phone number that was registered to that user.
- The user is granted access to the system
OTPs are more likened to two-factor authentication, where it is not likely that both layers of the authentication would be hindered by somebody using only one type of attack.