World's Best Authentication Practices: One-Time Password (OTP)

One-Time Password (OTP) – What Is It?
Yurii Bitko Yurii Bitko 19 july 2023, 11:51 346
For beginners

A one-time password (OTP), often referred to as one-time PIN or dynamic password, is a password or passcode used to log into a system or application. Unlike regular passwords, though, it expires on its very first use and may also be valid only for a certain time period. In this article, we’ll explain how it works, discuss its potential benefits and show a few usage examples from top-tier companies.

OTP in a nutshell

A one-time password is used to verify a single online action, such as a login attempt or payment. When performing the action, the user is required to enter a one-time code, usually a six-digit number or a short sequence of characters which they receive by phone or email. This code works only once and is often set to expire in a short period of time.

OTP technology is an example of the so-called passwordless authentication, a means to verify a user’s identity or action without using a permanent password. You most likely are already familiar with this technology. It was first adopted by the financial services industry, where it was used to verify online transactions. Since then, It has made its way into many different sectors, such as social media platforms, marketplaces, web applications, gaming services etc.

One-time passwords are often implemented as a part of two-factor authentication (2FA). In this scenario a user will first enter their regular login credentials, and if successful, a one-time code is issued which the user must input to proceed.

For certain non-sensitive applications, OTP can be used as the sole means of authentication. As such, it is still more secure than a permanent password.

Benefits of OTP

Benefits of OTP

Using an OTP is beneficial for both businesses and end users. Properly implemented, OTP technology induces the following effects:

  • Adds security.Multi-factor authentication is rapidly becoming a standard for all sensitive applications, and OTP is currently the most popular way to implement it. When used as the only authentication method, OTP makes it easier to login, since a user does not have to remember their password. It also eliminates the risks related to password reuse.
  • Saves money.Initial setup is inexpensive and it requires little attention afterwards.
  • Offers better user experience.OTPs are now widely used, and users have got accustomed to this technology, so it will be easily accepted by your audience.
  • Less susceptible to brute forcing.A one time code may be easily set to expire after a couple of unsuccessful attempts.
  • Decreases risks.One-time passwords are never stored in a database. Password database leaks are no longer a critical vulnerability, as hackers can’t use them without the OTP.

How OTP technology works

As said above, a one-time password is a digital code or a string of character which a user must enter to confirm a transaction, login operation or any other important online action. When such an action is initiated by the user, a unique passcode is generated either by the server application or by the user’s security token or generator app.

Older versions of this technology made use of code charts which users had to obtain and print out in advance. When performing an action, they would be requested to input a code from the chart with a given number. This method, although outdated, is still in use.

One-time passwords are less prone to hacking attempts, so they are usually made easier to enter than your regular strong password. Quite often they are just four or six digit numbers; a more robust setup may use a short sequence of common words or a few random characters.

As the name suggests, each passcode can be used only once. For added security, OTPs are usually set to expire after a short period of time.

OTP flavors

One-time codes may be generated using different algorithms. The two most widespread varieties of one-time passwords are hash-based (HOTP) and time-based (TOTP). Let’s take a closer look at each one.

The HOTP is based on the value of an internal counter which resides on the server. Each time a new code is generated, the counter is incremented by one. The code will be valid until the user gains access or explicitly requests a new one.

In contrast, TOTP is based on the current time. The verification algorithm ensures that the code is valid for a limited period of time, called a timestep. If a user does not enter the code within the given timestep, they will have to request a new one.

Ways to deliver an OTP

Note that OTP delivery is not mandatory. A one-time password can be generated on the client’s side using a preinstalled generator app or a hardware token. This option offers top-notch security while also being less convenient and more difficult to maintain.

In most cases, however, you’ll need to securely deliver the code to your client. This can be accomplished using different means. The most popular ones are email, SMS and push notifications. Other methods are not so widespread, such as automated voice calls, messaging apps or even regular mail (in the case of OTP charts mentioned above).

One important thing to note is that the one-time code is only as secure as your communication channel. The use of SMS for OTP delivery is often discouraged because of its inherent vulnerabilities.

When using email for OTP delivery, it may be apt to send it as a “magic link” which the addressee clicks to perform an action. For certain use cases, this option will be the most convenient and user-friendly.

Examples of OTP usage

OTP is now a mature technology widely adopted by companies working in diverse sectors. Below are a few examples of how major brands make use of it

Amazon

Amazon SES is another cloud-based email sending platform

The world’s largest online retailer uses a one-time password to verify you’re the rightful account owner if you have enabled two-factor authorization on your account or if you are trying to sign in with a new device.

Amazon also uses OTP technology to secure the delivery of valuable items. A six-digit security code is sent to the customer’s registered email. It is valid only on the day of delivery. The customer gives the code to the delivery service person who inputs it into a tracking application to verify that the package has got to the proper recipient.

Visa

Visa Secure, the company’s program that governs Visa transactions using the 3-D Secure standard, provides the rules and policies that merchants and issuers must follow to invoke authentication for online transactions, enabling verification of the cardholder’s identity before the transaction is sent for authorization. The authentication process relies on passcodes which can be sent via SMS or email.

Amazon SES is another cloud-based email sending platform

PayPal

As you might expect, PayPal, a multinational financial technology company operating an online payments system, also makes use of one-time passwords. For instance, whenever you want to reset your lost password, the system will send you a security code (or prompt for a previously defined security question).

Amazon SES is another cloud-based email sending platform

In addition, PayPal uses OTPs to perform a two-step verification at login.

Notion

Notion, a well-known productivity and collaboration web app, emails a one-time passcode whenever a user logs into their account, instead of using a permanent password. Two-step verification option is also supported. With 2FA, the passcode can be either generated using a special authenticator app or sent via SMS.

Amazon SES is another cloud-based email sending platform

As an emergency backup measure, when setting up two-step verification for the first time, users receive a set of backup text codes. Each code can only be used once, and a new set can be generated when all codes are used up.

Dropbox

Dropbox is a very popular file hosting service based in San-Francisco, California, US. With over 700 thousand users worldwide who would not tolerate any leaks of their precious data, security is the company’s highest priority. Dropbox uses a two-factor authentication procedure where an OTP is either sent via SMS or generated on the user’s device by running a generator app.

Amazon SES is another cloud-based email sending platform

If Dropbox detects a suspicious sign-in attempt, they also send a one-time security code to the email address associated with the user’s account which is required for the next login attempt.

DottedSign

DottedSign is a cloud-based electronic signature service. It lets you handle your signing tasks and track every task’s progress, ensuring your workflow is uninterrupted. To sign a document, users are required to verify their identities by entering a verification code.

Amazon SES is another cloud-based email sending platform

The bottom line

OTP emails are more than just another type of transactional message you send to your customers. OTP technology provides a way to improve security for your business and users, and offer a better customer experience. It is stable and mature enough to be adopted by companies in all spheres of application, including the most sensitive ones. Implementing some form of OTP, either for login, transaction verification or 2FA, is crucial for businesses that prioritize security.

OTPs are used for a wide range of tasks beyond user authentication. See our article for details

Learn about the best ways to deliver one-time codes via email

Related Articles

Blog
For beginners
One-Time Passwords: Authentication And More

As you may already know, a one-time password, or OTP, is a code that is valid for only one login session or transaction. You are likely already well acquainted with this technology, as it has by now been widely adopted by many businesses, from finance to online retailers.

Alex Kachalov
19 july 2023, 13:567 min