What is one-time password or one-time PIN (OTP)?

one-time password
There are always instances when you feel like your user ID and password have been compromised and are no longer secure. The eventual action would be changing your password, to something you could eventually forget, while the better solution under such circumstances is using the one-time password or PIN (OTP).
A One-Time Password is a unique pass code that is used for signing on to a network or service, and it is valid for only one login session or transaction, on a computer system or any other digital device.
It consists of automatically generated numeric or alphanumeric string of characters, and is used by many online platforms to validate customer transactions and identity. The generated code is sent via SMS, email or voice call to a user, who can enter it to validate himself/herself.

How is a one-time password generated?

One-time password generation involves the use of randomness and hash functions to derive a value for the code that is complex to forge, and hard to reverse by a hacker. This is also to make it impossible to predict future OTPs by observing previous ones. There are three basic formats of generating OTPs:
  • For OTPs valid only for a short period of time, generation is based on time-synchronization between the authentication server and the client providing the password.
  • For OTPs that are to be used in a predefined order, a mathematical algorithm is used to generate a new password based on the previous password.
  • For random OTPs, a mathematical algorithm is used where the new password is based on a challenge. A random number is chosen by the authentication server.

Read About: Correctly Configure Two-Factor Authentication before you’re locked out of your own account


Receiving the generated OTP

SMS is the commonest technology used for the delivery of OTPs . This is particularly because text messaging is available on almost all mobile handsets and it has a great potential to reach mass numbers of clients at a low total cost to implement. This however requires you to have a connection with a mobile network, which might corrupt the security of the system.

Advertisement - Continue reading below

Via smartphones, a one-time password can also be delivered directly through mobile apps, or within a service’s existing app. These systems do not share the same security vulnerabilities as SMS, and do not necessarily require a connection to a mobile network to use, as they are internet-based.

How OTPs work

In order for a user to successfully log into a system that utilizes OTPs, the following sequence of events would occur:

  1. The user logs into the system with a user name and password.
  2. The system verifies that the password matches.
  3. The system then sends the user a request for the OTP on his phone number by SMS, email or voice call.
  4. The User types in the current OTP before the device cycles to a new OTP.
  5. The system verifies OTP matches with the phone number that was registered to that user.
  6. The user is granted access to the system

OTPs are more likened to two-factor authentication, where it is not likely that both layers of the authentication would be hindered by somebody using only one type of attack.