What Is a One-Time Password & When Is It Used?

Javed Shah

A one-time password can be used for many authentication needs including securing private information or creating an alternative to a password reset.

What is a One-Time Password?

A one-time password is a random series of letters or numbers that can be used only once to authenticate a user. A one-time password is a part of a multi-factor authentication process.

How Do One-Time Passwords Work?

One-Time Passwords were created to address some of the perceived weaknesses of traditional passwords, namely those related to time, storage and usage. On its surface, OTP operates much like a password. But, because it is dynamically and randomly generated, it’s only good for one use, or use at a particular time. In that way, it actually functions much like a token in that the authentication provider assumes that the user possesses a specific account or device.

Passwords as an authentication method have a few drawbacks:

  • Security: Passwords, generally speaking, aren’t very secure. While complex passwords are harder to crack and can work with the right configuration of complex passwords and password storage passwords don’t protect against theft. If a password is stolen, the system will assume that anyone with that password is authentic. This is why phishing is still one of the most prevalent forms of cyberattack.                                    While passwords can be secured, they are by far not the most secure option for authentication and identity management.
  • User Experience: Passwords are hard to remember, which means that users often reuse passwords, use simple passwords, or use default passwords—all of which open up critical systems to hacks and threats.
  • Storage: Passwords are typically stored, hashed, and encrypted in central databases. If that database is breached, it’s only a matter of time before that information is compromised.

Because passwords on their own aren’t generally considered very secure, many organizations use multi-factor authentication that couples passwords with a secondary authentication method. MFA coordinates authentication by combining two types of verification from three different categories:

  1. Something the User Knows: This includes passwords and PINs in combination with usernames.
  2. Something the User Has: This includes tokens or one-time passwords.
  3. Something the User Is: This includes biometrics, like fingerprint or facial scans.

This is where one-time passwords play a role. A one-time password is a password string generated by a server or application either at the point of authentication or on a rolling, time-focused basis.

For example, many MFA solutions will offer the option to send an OTP over SMS or email so that only the user can read it. The assumption is that only the user has access to their email or mobile device. Furthermore, if the user doesn’t log in with the OTP, it will expire.

As another example, the Google Authenticator app can sync with authentication providers across multiple services. The app will refresh OTPs every 30 seconds, separate from any specific login attempt. The user can enter that code when prompted for MFA.

NIST Requirements and One-Time Passwords

One-time passwords are a common form of MFA, so much so that the National Institute of Standards and Technology has defined several requirements for their use in compliant authentication systems.

NIST Special Publication 800-63-3 outlines Authentication Assurance Levels that define the extent to which a user is authenticated in a system. AAL is broken down into three levels:

  • AAL1: At this level, users must be authenticated with single- or multi-factor authentication, the latter of which can include single-factor or MFA OTPs. Multi-factor OTPs are used only after the user has provided initial authentication information (a username and password, for example).
  • AAL2: AAL2 requires an MFA solution that uses either (a) a physical authenticator and a secret (such as a password) or (b) a physical authenticator and an associated biometric. In this case, the physical authenticator is the OTP-generating device and can include a mobile device with secure OTP functionality.
  • AAL3: This level requires using a hardware-based authentication method (a physical token like a USB key), impersonation resistance, and MFA. OTP solutions based on hardware (a special piece of hardware generating OTPs) are acceptable here.

What Are the Challenges and Benefits of One-Time Passwords?

Because one-time passwords are relatively easy to implement, many consumer and business users have come across them in one form or another. Many popular platforms use OTPs as MFA solutions, working with compatible OTP generating apps or simple SMS or email messaging implementations.

As a single- or multi-factor solution, OTPs provide several distinct advantages:

  • Security: Because OTPs are dynamically generated, they are much more secure than static passwords. The one-time password is only available for a limited time, under limited circumstances, which means that the window for vulnerability is low.
  • Ease of Use: There is no need to remember an OTP, since it is entered at the time of use. As such, OTPs generally eliminate the problems of reused passwords or phishing attacks so long as the mode of generation and delivery remain secure.
  • Avoid Replay Attacks: Many threats, including advanced persistent threats, rely on continuing access to a system. OTPs can mitigate certain kinds of threats by closing off channels of access due to expiring authentication credentials.

In terms of challenges related to OTPs, the primary ones are tied to loss of devices or interception of communications. If a user has their phone stolen and it is tied to authentication apps, SMS, or email, the thief can use the device to breach accounts. This isn’t a problem just for OTPs, however.

Additionally, if a user employs hardware-based OTP devices for special cases, the theft of that device can create a security hole.

Finally, the interception of communications like emails or SMS can expose OTPs sent through those channels. This includes cases where a user, a victim of a phishing attack, provides real-time OTP information to a hacker.

1Kosmos BlockID Combines One-Time Passwords with Advanced Authentication

One-time passwords are a useful part of any authentication scheme. They mesh well with other authentication methods and fit into the user experience with simple, device-based approaches.

1Kosmos uses OTPs alongside advanced biometrics, streamlined onboarding, and compliant identity proofing to center user authentication into user devices. This way, your organization can deploy strong, compliant authentication in a way that allows users the ease of access they enjoy with other login services.

The following features are included with 1Kosmos BlockID:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.

Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.

Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

To learn more about BlockID MFA and security, sign up for the 1Kosmos newsletter. Or, to see how 1Kosmos integrates several advanced security features into a single authentication platform, check out our LiveID data sheet.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.