A one-time password (OTP) consists of a short sequence of numbers and alphanumeric characters that are auto-generated and delivered by an application service to the user at a previously registered email address or mobile phone number associated with the user account. Once received, it is then entered by the user to verify their identity. A one-time password is used as part of an authentication process with the purpose of verifying the identity of a user to allow access to a web or mobile service.
The reason for the name of this technology is that the intention and design are that the sequence of characters and numbers can be used only once, and typically has a fixed expiration time of a few minutes or hours. After the time has expired the user would need to request an updated code to proceed with the authentication sequence.
Using this short life duration, an OTP provides a dynamic up-to-date code that can be used to confirm that the person using the user credentials is in fact the legitimate user and not someone who has obtained stolen credentials. This one-time, short duration quality of an OTP addresses one of the biggest weaknesses with regular password-based authentication, which is that users reuse passwords across sites and services. Once a regular password is stolen it can be used by fraudsters. A one-time password is only vulnerable for a short period of time before the code expires.
One-time passwords are typically delivered either via email to a previously verified user address, or via SMS to a previously verified phone number associated with the user account. When a user tries to log in to a service and provides their username and password, the service may additionally send the user an OTP for additional security for the user account. The user would be sent the one-time password to the mobile number registered with the account. Once the user receives it via SMS they would enter the number or series of characters to complete the login successfully.
One-time passwords are typically used as part of the multi-factor authentication (MFA) process and provide an additional authentication factor to be used in conjunction with the first authentication factor which is, typically, a user-generated password.
While one-time passwords are one of the most popular forms of authentication factor for use in MFA processes there are security concerns with OTP. NIST in its identity guidelines designated one-time passwords delivered over SMS as a restricted form of authentication because they are vulnerable to interception by fraudsters. OTP over SMS is particularly vulnerable to what is called SIM Swap fraud, whereby a fraudster contacts customer support and says they have changed their device and sets up a new mobile number associated with an account. If a fraudster is successful with a SIM Swap attack it means that any one-time passwords are then delivered to the fraudster's mobile device versus the legitimate user’s device.
For developers of web and mobile services, one-time passwords are relatively easy to implement and users are relatively willing to use this form of authentication. However considering all the forms of authentication, one-time passwords rank as moderate for friction and moderate to low for security. One-time passcodes are sometimes referred to as one-time passcodes or PINs.