What is one-time password (OTP)?
A one-time password (OTP), also known as a dynamic password, is a password that can only be used once, typically during a short period of a few seconds or minutes after the password has been issued.
How do one-time passwords (OTPs) work?
In some applications, a series of one-time passwords (OTPs) are pre-determined or even printed out, but in most applications today, a one-time password (OTP) is generated in real-time by a software or hardware authenticator that a user has in their possession. The authenticator that the user has shares a cryptographic key with the verifier, which is the software that is attempting to verify the user’s identity.
Whichever way it’s generated, each OTP can only be used once. The verifier that checks the password as a means of verifying a user’s identity would reject repeat uses of a password.
In many cases, the use of an OTP authenticator is just one component of a multi-factor authentication process. By combining an OTP with another factor such as a static password or a biometric signature of some kind, information can be more secure than a memorized static password alone.
The benefits of one-time passwords
The adoption of OTPs (One time passwords) can offer a more secure alternative to or even supplement a memorized static password as a part of a multi-factor authentication process. This is because a password that has been compromised would be of little use to someone trying to compromise an account or application.
With static passwords, a hacker or fraudster who obtains a user’s password would have access to potentially sensitive information until that password is changed. In an even worse scenario, whoever compromised that account could change the password before its rightful owner could change it and secure their information.
Because of their one-use nature, OTPs have the potential to secure an application or account so that even in the event that an attacker captures a password, they would not be able to re-use the password in a second attempt. A user who falls prey to a phishing scam or malware that capture their keystrokes would still be protected. The information would remain safe from conventional password-stealing methods.