OTP (One-Time Password)

An OTP (one-time password) is a short authentication string that is valid for exactly one login or transaction. After it is used or after a short time window expires, it cannot be reused. OTPs are designed to mitigate the risk of password reuse and credential interception: even if the OTP is captured in transit, it has no value once consumed.

OTPs come in two main flavors. HOTP (HMAC-based One-Time Password, RFC 4226) generates codes from an incrementing counter shared between the server and the client. Each successful login increments the counter, so codes are produced in a deterministic but non-repeating sequence. TOTP (Time-based One-Time Password, RFC 6238) replaces the counter with the current time, divided into discrete windows of typically 30 seconds. Both schemes use a shared secret and HMAC-SHA1 (sometimes SHA256 or SHA512) to derive the visible digits from the underlying state.

In practice, OTP delivery happens through several channels:

• SMS: the server generates a random short code, sends it via the carrier network, and the user types it into the login form. This is the most common and least secure channel.
• Email: similar to SMS but delivered to an inbox, slower and slightly more secure.
• Authenticator app: TOTP code generated locally on a device using a secret exchanged at enrollment.
• Push notification: a one-tap confirmation prompt to a registered device.
• Hardware token: a dedicated device (RSA SecurID, YubiKey) that displays or transmits the code.

OTPs are a building block of 2FA and step-up authentication. The security of an OTP system depends entirely on the secrecy of the seed material and the integrity of the delivery channel — an OTP delivered over SMS to a SIM-swapped number provides no real protection. Locally-generated TOTP codes are stronger because there is no delivery channel to intercept.

Modern web standards (WebAuthn, passkeys) are gradually displacing OTPs because OTPs remain phishable: a user can be tricked into typing their OTP into a fake login page, and an attacker can replay it within the validity window. Despite this, OTP via SMS or authenticator app remains the de facto standard for second-factor authentication on the consumer web in 2026.