Skip to main content

A one-time password (OTP) is a string of numbers and/or characters that is generated and sent to a user to be used for a single login attempt or transaction.

What are the benefits of OTPs?

OTPs reduce the risk around passwords.

Forgotten passwords: One of the most common uses of OTPs is the case where a user has forgotten their password, or had their account breached. An OTP may be issued to the user to access their account before they are prompted to reset their password.

Replay attacks: In a replay attack, a user’s login credentials, including their password, are intercepted. If the password is static, the attacker would now have access to that user’s account. But when an OTP is used, the password intercepted by the hacker is no longer valid as it was already used once when the user logged into their account and can thus no longer be reused.

Multi-factor authentication: OTPs can add an additional layer of authentication. Using security tokens, OTPs can be generated for users to provide as an additional form of authentication, which increases security and reduces the risk of a breach.

What are the types of OTPs?

Hash-based OTP (HOTP): This type of OTP is generated and sent to a user based on a hash algorithm that syncs the OTP code with counter that changes incrementally each time the user gains access.

illustration of hash-based OTP (HOTP)

Time-based OTP (TOTP): This type of OTP is time-based, in that it provides a window of time within which the OTP code will be valid. In general, timesteps are 30-60 seconds in length. If the user does not enter the OTP code within the specified timestep, they must request a new one.

illustration of time-based OTP (TOTP)

How are OTPs provided to users securely?

OTPs are generated and sent to users securely using security tokens.

Hard tokens: Smart cards, USB keys, keyless entry systems, mobile phones, and Bluetooth tokens are all capable of generating OTPs. A hard token may be connected, disconnected, or completely contactless.

Soft tokens: A push notification to email, via SMS, or an app is the common form of OTP soft tokens.

OTP vs. 2FA

What’s the difference between an OTP and 2FA?

An OTP can be used as a form of 2FA/MFA, but it can also be used beyond as an autonomous security mechanism where a user is provided an OTP for every login. Thus, these terms should not be used synonymously as OTP is just one of many forms of 2FA/MFA and can also stand alone as its own security solution.

Is an OTP more secure than a static password?

Yes. OTPs add an additional layer of security to static passwords. Passwords alone are a vulnerable form of identity verification, responsible for 81% of security breaches. Adding another layer of authentication to passwords ensures better security. Of course, you could get rid of passwords altogether by going passwordless.

Does Entrust offer OTPs?

Yes. Entrust offers a broad range of authentication solutions that includes OTPs.

What is identity and access management?

Identity and access management (IAM) is a framework of security policies and technologies that ensures that the right entities can gain access to the right resources at the right time.

An entity can be a person or a device. Resources include applications, networks, infrastructure, and data. IAM can apply to workforce, consumer, and citizen use cases.

IAM is based on the premise of establishing and maintaining trusted digital identities. With IAM, organizations are able to authenticate and authorize entities to grant secure access to the right resources. As well, trust is maintained over time with adaptive risk-based authentication that provides a step-up challenge when conditions warrant.