Also called a One-Time-Pass Code, OTPs are a key component of 2-Factor Authentication (2FA) solutions that are used by most financial service providers to provide the highest level of security to customer transactions. OTPs are popular with users as they are quick and easy to use, and popular with businesses as they are a very cost effective way of securing transactions and avoiding costly fraud incidents.
How are OTPs generated?
The generation of OTPs rely on the server and user device having access to the same secure ‘knowledge’.
There are two types of code:
- HOTP (hash-based one-time password): These codes are based on a counter, which is incremented each time a code is generated. In this way the same code can never be used twice and will expire as soon as the next code is generated.
- TOTP (time-based one-time password): As the name suggests, these are an extension of HOTPs that are only valid for a set period of time, usually under 3 minutes, making them even more secure.
How are OTPs delivered?
The most common way of delivering an OTP is via SMS to a mobile phone. All mobile phones can receive SMS, there is no requirement for data or an internet connection, and the fact that mobile phones usually require their own code to unlock adds even more security.
OTPs can also be delivered through proprietary tokens, though these are less popular as it requires a person to carry the token at all times.
Why are OTPs better than normal passwords?
What makes OTPs so secure is that they can only be used once, and can be set to expire after a short period of time. Even though normal passwords can be very complex, they are usually only changed every few months, or sometimes never. This makes them far more susceptible to hackers and data breaches.
In the most secure solutions, OTPs and passwords are used together to provide the highest protection from fraud.