What is an OTP – One-time password?
A one-time password (OTP) is an automatically generated sequence of numeric or alphanumeric characters that will authenticate a user for a single login or transaction. It is used in a multifactor authentication (MFA) process to secure access to data.
What exactly is a one-time password (OTP)?
A one-time password is a password that has two fundamental properties : it expires quickly, and it can’t be reused. You will frequently hear the abbreviation OTP as well as the terms “OTP key” and “OTP code”.
OTPs are usually numeric or alphanumeric (letters and numbers) strings and are generated for a single login procedure. This means that after a user logs in with a one-time password, it is no longer valid and cannot be used for future logins.
OTP passwords are commonly used as part of a multifactor authentication (MFA/2FA) procedure. This applies, for example, to financial services (notably following the requirements of the PSD2 directive) and is becoming increasingly common to secure access to business applications or a corporate network.
How does it work?
One-time passwords are based on an algorithm that creates a new and random code each time that a password is requested. But to fully understand how an OTP works, there are two components to consider: the OTP generator and the authentication server. Let’s dive deeper into these 2 components.
The OTP generator
The OTP generator will provide the user with a unique password generated on:
- something that the user has (an authentication token)
- a Time-based One-time Password (TOTP) – which is an OTP where the moving factor is time-based
- a HMAC-based One-time Password algorithm (HOTP) – which is an event-based OTP where the moving factor is counter-based rather then time-based
Depending on the MFA solution that is at the origin of the OTP, the OTP generator can also include something that the user knows (e.g a PIN code). This is why it is important to carefully look if your MFA solution is based on multiple or only 1 factor.
Check out our graph that will help you benchmark your MFA solution.
The authentication server
Once the OTP generator has provided the user with a unique password as seen above, the authentication server must verify the OTP.
What are the benefits of an OTP?
Prevent online identity theft
One of the great advantages of using one-time passwords to secure access is that they become invalid within a few seconds, which prevents hackers from retrieving the secret codes and reusing them.
Reduce support from IT team
When choosing an MFA solution that is natively 2-factor, and therefore where along with the OTP there is no need to require the user to enter the combination login & password (passwordless MFA solution) – then and again only then – IT support teams are less likely to be solicited from end-users for password resets. For sure, end-users are unlikely to make a mistake with a simple knowledge factor such as a PIN code to be remembered. It’s a win-win for users and support teams.
Overcome password security issues
Once again, this is the case only when going for a passwordless authentication that is natively 2-factor. IT administrators and CISOs can avoid the common issues encountered when it comes to password security (weak passwords, sharing credentials, reusing the same password across multiple accounts and systems, etc.).
With TrustBuilder, it also improves user experience
While some MFA solutions will send OTP by push notification or SMS to users, asking them to retype and enter it in their login window, TrustBuilder MFA generates and validates OTPs in a way that improves the users login experience. Indeed, the solution will silently generate and validate the OTP, in a transparent way for the user, allow him/her to have a simple and passwordless login experience.
