What is a one-time password (OTP)?
A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session.
An OTP is more secure than a static password, especially a user-created password, which can be weak and reused across multiple accounts. OTPs might replace traditional authentication login information or may be used in addition to it to add another layer of security.
One-time password examples
OTP security tokens are microprocessor-based smart cards or pocket-size key fobs that produce a numeric or alphanumeric code to authenticate access to the system or transaction. This secret code changes every 30 or 60 seconds, depending on how the token is configured.
Mobile device apps, such as Google Authenticator, rely on the token device and PIN to generate the one-time password for two-step verification.
OTP security tokens can be implemented using hardware, software or on demand. Unlike traditional passwords that remain static or expire every 30 to 60 days, the one-time password is used for one transaction or login session.
How to get a one-time password
When an unauthenticated user attempts to access a system or perform a transaction on a device, an authentication manager on the network server generates a number or shared secret, using one-time password algorithms. The same number and algorithm are used by the security token on the smart card or device to match and validate the one-time password and user.
Many companies use Short Message Service (SMS) to provide a temporary passcode via text for a second authentication factor. The temporary passcode is obtained out of band through cellphone communications after the user enters his username and password on networked information systems and transaction-oriented web applications.
For two-factor authentication (2FA), the user enters a user ID, traditional password and temporary passcode to access the account or system.