Home

OTPs

One-time passwords (OTPs) are codes used to authenticate a user for a single login or transaction. A valid OTP is typically usable once and expires after a short period or after use, reducing the risk of reuse.

There are two common cryptographic forms: HOTP (HMAC-based One-Time Password) and TOTP (Time-based One-Time Password). HOTP

Delivery and generation methods vary. Authenticator apps such as Google Authenticator or Authy generate codes on

Usage and purpose include providing a second factor in multi-factor authentication and, in some cases, authorizing

Security considerations: OTPs improve security over static passwords but are vulnerable to phishing, malware, SIM-swapping, and

Limitations: OTPs require users to manage devices or channels, and the secret seeds or delivery channels themselves

relies
on
a
counter
value,
while
TOTP
uses
the
current
time
as
the
moving
factor.
Both
are
defined
in
widely
used
standards,
with
HOTP
in
RFC
4226
and
TOTP
in
RFC
6238,
and
are
frequently
generated
by
authenticator
apps
or
hardware
tokens
or
delivered
by
SMS
or
email.
a
user’s
device,
typically
every
30
seconds
for
TOTPs.
SMS
and
email
can
deliver
codes
as
a
message
to
the
user,
while
hardware
tokens
provide
a
displayed
code
or
use
a
cryptographic
challenge-response.
Some
systems
also
support
push-style
approvals,
which
are
separate
from
traditional
OTPs.
high-risk
actions
like
financial
transfers
or
sensitive
changes.
interception
when
delivered
by
SMS.
They
do
not
fully
eliminate
credential
theft;
phishing-resistant
MFA
and
passwordless
solutions,
such
as
FIDO2/WebAuthn
hardware
keys,
offer
stronger
protection.
Backup
codes
or
alternate
recovery
methods
are
often
provided
for
account
access.
can
be
targeted.
Time
synchronization
and
device
security
are
important
for
reliable
operation.