One-Time Password (OTP)

The term one-time password (OTP) also called one-time codes describes a password that contains a randomly generated series of characters and can only be used for a specific period of time and only for a single login/transaction.

A one-time password is very often used in conjunction with a standard password as an additional security measure in multi-factor authentication (MFA), also known as two-factor authentication (2FA). In this process, the user first logs in with their user name or e-mail address and the password they have set. In the next step, the one-time password is entered and serves as an additional security level.

The important factor is that the one-time password is only known to the user and the system for which the code relates. Below are the two methods for generating an OTP.

  • Creation of an OTP on the service provider/server side: A separate service provider or server creates a one-time password and sends it directly to the user via a previously defined route. This can be, for example, a code or magic link that is sent by SMS/e-mail to a previously verified mobile phone number/e-mail address. Or a letter that is sent to a previously verified postal address and contains a one-time password or a list with several one-time passwords (e.g. TAN list). The disadvantage of this method is that letters, e-mails or text messages can be intercepted by third parties, the content can be read and used for fraudulent purposes. This is therefore not the most secure form of password sending.

  • Creating an OTP on the user/client side: The increasing popular and also more secure method today is to generate a password using an OTP generator. This can either happen through an authenticator app or through separate hardware (OTP token), usually in the form of a key fob. The coordination between client and server only takes place once to synchronize the algorithm used (when setting up the software/hardware). For each additional communication, the server only serves as a receiver (unlike with the previous method). This means that the client generates a one-time password using the previously defined algorithm and sends it to the server in encrypted form. The server knows the algorithm and the used encryption and can check the result to see if the data matches.

We at Engity have the opinion that a one-time password should always be used if important and sensitive data is involved, such as online banking.