As you may already know, a one-time password, or OTP, is a code that is valid for only one login session or transaction. You are likely already well acquainted with this technology, as it has by now been widely adopted by many businesses, from finance to online retailers.
OTP technology relies on a natural association between a user and something they own, like a mailbox address or a phone number, and this is why it has become so popular and widespread as a means of user authentication. However, its functionality is not limited to identity checks, as this technology offers endless possibilities in diverse usage scenarios.
So, what are one-time passwords good for? Let’s discuss a few options.
A safer password check
Let us start with the basics. As you may have noticed, the requirements for a permanent password are constantly rising. It is quite common to demand a password that is at least 8 characters long and contains both lower and uppercase letters, digits and special symbols. Such passwords are difficult to manage and easy to forget. People will often use the same password for different applications and fail to change their passwords on a regular basis. All this makes it easier for malicious actors to break into accounts and do all sorts of damage.
On the other hand, if you’re sending a one time password to let the user reset their permanent one in case they’ve forgotten it, why not make this procedure the standard way to log in? As studies show, OTPs are both easier to use and more secure than permanent passwords.
Sure enough, the authentication method discussed above may be used as a part of a multi-factor authentication routine, where the person’s identity is verified using two or more independent means (like, for instance, a permanent password and a one-time code sent by SMS). This should be a standard for all sensitive applications. Whether you are a business or a user, do your best to stay safe, and OTPs will help you with this.
According to Microsoft, using MFA will reduce the risks of attack by an astonishing 99.9%.
Quite often a user will forget their complex and hard to remember permanent password. Sending a one-time passcode to verify the password reset is common practice; however, it should be taken into account that such requests can be part of an identity theft attack. A good way to decrease the risk is to send a magic link for a password reset by email while simultaneously sending another code by an alternative channel with a message saying, “someone is resetting your password; if you have not requested that, you can restore the previous value using this one-time code”.
If a user has not logged into their account for a long time, it may be prudent to perform an additional identity check using one-time codes. Note the plural form here: an abandoned email address could eventually be assigned to another person, and the same thing might happen to phone numbers. So, if the user’s profile contains sensitive data, it is strongly advised to perform a multi-factor authentication, even if you normally don’t.
Securing access with multiple devices
Whenever someone is using a new device to log into their account, it also would be wise to double check the person’s identity. If you are normally using other means of authentication, sending an OTP will greatly decrease the risk of identity theft.
Confirming Changes To Sensitive Data
Certain changes to a user’s profile may definitely require additional checks. Accidentally altering your contact information or payment plan may result in grave consequences. To verify such critical changes, use an OTP check. This will ensure that the changes are being made by the rightful account owner and prevent accidental modifications
Confirming Payments And Transactions
Using OTPs to confirm payments and transactions has been the first field of application where this technology was widely adopted, and such tasks still account for the majority of all OTPs sent. And this is quite understandable, as this method is both effective at eliminating malicious attempts and very easy to use both for the vendor and for the customer.
Securing Sensitive Resources Online
In certain scenarios, you may want to showcase some digital resources while making sure that only people meeting your requirements can actually access them. Put a preview on your site and set up a system where an OTP is required to access the full version. Then hand the “digital key” to those you trust and be sure that each code is used only once.
Delivering Digital Goods And Upgrades
Many online apps are built on a freemium model, when the basic app is offered for free, and a more capable version can be obtained with a paid upgrade. An OTP verification code may be sent to the user after their payment is received. The same technique is used for selling digital goods, where a one-time code allows the customer to download the purchased item.
Building a Contact Base
If the audience is really interested in your online materials (videos, articles, reviews etc.), you may consider limiting their free access. When a visitor wants to view, say, more than five free videos per month, kindly ask them to provide their contact. When prompting for an email or phone number, be sure to add a checkbox which they could check to receive updates about your future videos. Use a one-time code to verify the contact.
Double Opt-In Check
In the scenario described above, you are actually killing two birds with one stone . The procedure is in fact a double opt-in check which ensures that you have explicit permission from your addressee to send them promotional emails. Store the confirmation details (timestamp, IP address and such) for future reference. Should any spam complaints arise, this data will help you prove the legitimacy of your emails.
Blocking Script Kiddies
Well, to be precise, you kill three birds :) To prevent abuse, you would normally use a captcha to verify that requests are being made by actual people. With OTPs, you do not need one: a password check is good enough for this purpose.
When ordering an item from an online store, it may be delivered right to the customer’s door or dropped at a parcel locker. In both cases, one-time passwords are used to complete the delivery by verifying the customer’s identity. This method is now adopted by nearly all online retailers and distribution companies.
Coupons And Discount Codes
If you are using your own software to generate OTPs, it is quite easy to use it as a convenient way to give away discount codes. Add an appropriate prefix to easily distinguish between different specials and set your time-based OTPs to be valid for as long as your promotion lasts. And since all codes are unique, you’ll know exactly which client has responded to your offer.
You may also offer such OTP-based coupons as a reward for an online quiz or opinion survey, which gives you yet another opportunity to obtain the contacts of prospective customers.
One time passwords are so much more than just a convenient and secure means of user authentication. This technology, as shown above, can serve a plethora of purposes, being versatile enough to suit your business needs in various fields of application.
To learn the basics of what an OTP is, see our previous article
Another article elaborates the criteria of choosing a proper SMTP service to deliver one-time codes by email