English

OTP
TOTP
MFA
HOTP
one-time password

What is one-time password (OTP)?

What is OTP? What is the difference between OTP and TOTP? How does OTP work? This article breaks down the basic concepts of OTP and why it is more preferred than static passwords.

Simeng

Developer

12/23/20245 min read

Stop wasting weeks on user auth

Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.

Get started

OTP stands for One-Time Password, also known as a one-time pin one-time passcode or dynamic password. It is a unique, automatically generated temporary password used for a single authentication session or transaction.

Unlike traditional static passwords, OTPs change every time they are used and expire after a short period of time. This makes them a highly secure method of authentication, as they are much harder for attackers to steal and reuse.

OTPs are widely adopted in various security applications, including online banking, e-commerce and securing access to sensitive data or systems. They are also commonly used as a second factor in multi-factor authentication (MFA) to provide an additional layer of security. By combining something the user knows (e.g. a password) with something they have (e.g. a mobile device), OTPs have become an essential tool of modern authentication systems.

How does OTP work?

There are several types of OTPs, each generated and delivered differently for different use cases. Some common methods of OTPs includes:

SMS OTP / Email OTP

SMS OTP or Email OTP is one of the simplest forms of OTPs, where a unique passcode is generated by a server and securely delivered to the user via SMS or email. The user then enters this passcode to authenticate themselves.

How it works:

The user requests an OTP from the server.
The server generates a random numeric or alphanumeric code and sends it to the user via SMS or email.
The user retrieves the OTP from their SMS or email inbox and enters it into the application.
The server verifies the code against its records and grants access if the code is valid.

Security measures:

The OTP is only valid for a short period of time (e.g. 5 minutes) to minimize the risk of interception and replay attacks.
The SMS delivery channel relies on cellular networks, making it susceptible to interception via SIM-swapping attacks or other vulnerabilities in the telecom infrastructure.
The email-based OTPs are only as secure as the user's email account. If the email account is compromised, the OTP can be intercepted.

Use cases:

SMS and Email OTPs are commonly used in consumer-facing applications, such as online banking, e-commerce, and social media platforms. Not only are they more secure than static passwords, but they also provide a convenient way for users to authenticate themselves without memorizing complex passwords and security questions.

Given that most users have constant access to a mobile phone or email account at all times, SMS and Email OTPs have become a preferred choice for user authentication, email address or phone number ownership verification and password recovery.

HMAC-based OTP (HOTP)

HMAC-based OTP, defined in RFC 4226, is a time-synchronized OTP algorithm that generates a sequence of one-time passcodes based on a secret key and a counter value. Each OTP is derived by hashing the secret key and counter value using a cryptographic hash function (e.g. SHA-1, SHA-256).

How it works:

Secret: HOTP requires a shared secret key between the server and the client.
Counter: The server and client maintain a counter value that increments with each OTP generation.
The client calculates the HMAC-SHA1(or other hash functions) hash of the counter value (C) using the shared secret key (K)
- H = HMAC-SHA1(K, C)
The hash value is truncated to a 6 or 8-digit code (depending on the implementation) to generate the OTP.
- OTP = Truncate(H)mod 10^d
The server keeps track of the counter value and verifies the incoming OTP by calculating the hash value using the same counter value and secret key. ( If there is a slight mismatch, the server may allow for a small window of counter values, e.g., one or two increments, to account for synchronization issues)

Security measures:

HOTP ensures that each password is unique and valid until it is used, as the counter is incremented after each successful authentication.
The shared secret key is never transmitted over the network, reducing the risk of interception.
The counter value is synchronized between the server and the client to prevent replay attacks.

Use cases:

HOTP is commonly used in hardware tokens and legacy systems where timing constraints might be challenging to implement. For modern applications, TOTP is more popular used due to its time-based nature and ease of implementation.

Time-based OTP (TOTP)

Time-based OTP, defined in RFC 6238, is an algorithm that generates a sequence of one-time passcodes based on the current time and a shared secret key. TOTP is an more advanced extension of HOTP that uses a timestamp instead of a counter value to generate OTPs. It gives a time-based validity to the OTPs, making them more secure than HOTP.

How it works:

Secret: Like HOTP, TOTP requires a shared secret key between the server and the client.
Time step: The key difference between HOTP and TOTP is that TOTP uses a time-based step value (typically 30 seconds) instead of a counter value.
The client calculates the HMAC-SHA1 hash of the current time divided by the time step using the shared secret key.
- H(Time) = HMAC-SHA1(K, Time/TimeStep)
The hash value is truncated to a 6 or 8-digit code to generate the OTP.
- OTP(Time) = Truncate(H(Time))mod 10^d
Dynamic OTP: Since the OTP generation is time-based, the OTP changes every 30 seconds, providing a higher level of security.
The server verifies the incoming OTP by calculating the hash value using the current time and secret key. As long as the OTP is within the valid time window, the server accepts the authentication.

Security measures:

The reliance on time synchronization ensures that an OTP is only valid briefly, reducing the risk of interception or reuse.
The time-based nature of TOTP makes it more secure than HOTP, as it is less susceptible to replay attacks. Even if an attacker obtains a previously used OTP, it becomes invalid once the time window expires.
Like HOTP, the shared secret key is never transmitted over the network, reducing the risk of interception.

Use cases:

TOTP is widely used in software-based authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator. These apps generate time-based OTPs for users to authenticate themselves with various online services, including social media platforms, cloud services, and financial institutions.

TOTP authenticator apps has become the most popular form of OTP for MFA, as it provides a balance between security and usability. Users can generate OTPs on their mobile devices without relying on SMS or email delivery, making it a more secure and convenient method of authentication.

Advantages of OTP

Enhanced security
- OTPs mitigate risks associated with stolen or compromised passwords.
- OTPs are time-sensitive and expire quickly, reducing the window of opportunity for attackers to intercept and reuse them.
- Its single-use nature makes it more secure than static passwords, as each OTP is unique and cannot be reused.
Ease of use
- OTPs are easy to generate and use, requiring minimal user interaction.
- Widely supported by various platforms and services, such as TOTP, requiring minimal setup and can leverage a wide range of existing authenticator apps.
Flexibility
- OTPs can be delivered via multiple channels, including SMS, email, and authenticator apps, providing flexibility for users to choose their preferred method.
Compliance with regulations
- OTPs are compliant with industry standards and regulations, such as PCI DSS, GDPR, and HIPAA, which require strong authentication mechanisms to protect sensitive data.

Why OTP is preferred over static passwords?

OTP is a secure and convenient method of authentication that has become an essential tool in modern security practices. By providing a unique, time-sensitive passcode for each authentication session, OTPs offer a higher level of security than traditional static passwords. Whether delivered via SMS, email, or authenticator apps, OTPs are widely adopted in various applications to protect sensitive data and secure access to online services. As the threat landscape evolves, OTPs continue to play a crucial role in safeguarding user accounts and preventing unauthorized access to personal and corporate information.

Try Logto Cloud Today

How does OTP work?#

SMS OTP / Email OTP#

HMAC-based OTP (HOTP)#

Time-based OTP (TOTP)#

Advantages of OTP#

Why OTP is preferred over static passwords?#

How does OTP work?#

SMS OTP / Email OTP#

HMAC-based OTP (HOTP)#

Time-based OTP (TOTP)#

Advantages of OTP#

Why OTP is preferred over static passwords?#

How does OTP work?

SMS OTP / Email OTP

HMAC-based OTP (HOTP)

Time-based OTP (TOTP)

Advantages of OTP

Why OTP is preferred over static passwords?

How does OTP work?

SMS OTP / Email OTP

HMAC-based OTP (HOTP)

Time-based OTP (TOTP)

Advantages of OTP

Why OTP is preferred over static passwords?