What is a one-time password (OTP)?

A one-time password (OTP) is an automatically generated numeric or alphanumeric code that authenticates a user for a single session or transaction. Unlike static passwords, OTPs expire after use or after a short time window, making captured credentials useless for subsequent access attempts. They are delivered via SMS, email, or authentication apps.

How OTPs work

The user first submits standard credentials such as a username and password. If those check out, the system generates a unique code and sends it to a device associated with the user. The user enters that code, the system verifies it matches what was sent, and access is granted.

Three core mechanisms underpin OTP generation:

TOTP (Time-based) synchronizes a clock between the authentication server and client to generate codes valid only within a short time window. HOTP (HMAC-based) uses a secret key and an incrementing counter shared between server and client to generate codes that remain valid until used. mOTP (mobile OTP) delivers codes through a separate channel such as SMS, email, or push notification.

Types of OTPs

• HOTP generates passwords using Hash-based Message Authentication Codes (HMAC). Each time a password is generated, a counter increments on both the client and server. The server counter increments when the password is accepted; the client counter increments when the password is generated. HOTP codes have no expiration and remain valid until used.

• TOTP introduces a time dependency, rotating codes at a fixed interval, typically every 30 to 60 seconds. An intercepted TOTP is usable only within that narrow window before it expires. TOTP requires the client and server clocks to stay reasonably synchronized.

Both are open standards. Both are meaningful improvements over static passwords, and both remain susceptible to phishing because a valid code can be used immediately after capture.

Use cases

Online banking sends OTPs to registered mobile numbers to authorize fund transfers and other sensitive transactions. E-commerce uses OTPs at checkout or during account changes to confirm user identity. Two-factor authentication pairs a static password with an OTP delivered by SMS or email, requiring proof from two separate credential categories. Password reset sends an OTP to a registered contact method to verify identity before allowing a credential change. Device verification triggers an OTP when a login comes from an unrecognized device. Physical access control in high-security environments like data centers uses OTPs to verify personnel at entry points. Transaction confirmation applies OTPs to high-value financial actions as a final identity check before execution.

Strengths

OTPs make credential guessing or prediction effectively impossible, since each code is generated fresh and unknown until delivered. Intercepted codes cannot be reused, blocking replay attacks. Users are not required to memorize complex passwords, reducing support overhead. The dynamic nature of OTPs eliminates password reuse across platforms. Brute force attacks are ineffective given the transient validity window.

Weaknesses

SMS and email delivery expose OTPs to interception, SIM swapping, and account compromise on the delivery channel itself. Phishing remains effective because a valid OTP can be submitted to an attacker's site and immediately relayed to the real target before it expires. Users can inadvertently expose codes by leaving them visible or sharing them under social engineering pressure. Device loss or failure locks the user out until the delivery device is recovered or replaced. Man-in-the-middle attacks, though technically demanding, can intercept and relay OTPs in real time. The added authentication step introduces friction that some users find inconvenient.

OTPs and multi-factor authentication

OTPs fit into the "something you have" category in multi-factor authentication (MFA), pairing with something the user knows (a password) or something the user is (a biometric). Delivery to a registered device also confirms physical possession of that device as part of the verification process.

OTPs counter keylogging, credential stuffing, and brute force attacks because each code is session-specific and not dependent on user-chosen input. Their broad compatibility means they integrate into most platforms without significant disruption to existing authentication flows.

Used alone, OTPs are not sufficient. As part of a layered MFA strategy, they add a meaningful barrier that substantially raises the cost and complexity of unauthorized access.