What is an OTP - One-time password?

A one-time password (OTP) is an automatically generated sequence of numeric or alphanumeric characters that will authenticate a user for a single login or transaction. It is used in a multifactor authentication (MFA) process to secure access to data.


What exactly is a one-time password (OTP)?

A one-time password is a password that has two fundamental properties : it expires quickly, and it can’t be reused. You will frequently hear the abbreviation OTP as well as the terms "OTP key" and "OTP code".

OTPs are usually numeric or alphanumeric (letters and numbers) strings and are generated for a single login procedure. This means that after a user logs in with a one-time password, it is no longer valid and cannot be used for future logins.

OTP passwords are commonly used as part of a multifactor authentication (MFA/2FA) procedure. This applies, for example, to financial services (notably following the requirements of the PSD2 directive) and is becoming increasingly common to secure access to business applications or a corporate network.

How does it work?

One-time passwords are based on an algorithm that creates a new and random code each time that a password is requested. But to fully understand how an OTP works, there are two components to consider: the OTP generator and the authentication server. Let’s dive deeper into these 2 components.

The OTP generator

The OTP generator will provide the user with a unique password generated on:

  • something that the user has (an authentication token)
  • a Time-based One-time Password (TOTP) - which is an OTP where the moving factor is time-based
  • a HMAC-based One-time Password algorithm (HOTP) - which is an event-based OTP where the moving factor is counter-based rather then time-based

Depending on the MFA solution that is at the origin of the OTP, the OTP generator can also include something that the user knows (e.g a PIN code). This is why it is important to carefully look if your MFA solution is based on multiple or only 1 factor.

Check out our graph that will help you benchmark your MFA solution.

The authentication server

Once the OTP generator has provided the user with a unique password as seen above, the authentication server must verify the OTP.

What are the benefits of an OTP?

Prevent online identity theft

One of the great advantages of using one-time passwords to secure access is that they become invalid within a few seconds, which prevents hackers from retrieving the secret codes and reusing them.

Reduce support from IT team

When choosing an MFA solution that is natively 2-factor, and therefore where along with the OTP there is no need to require the user to enter the combination login & password (passwordless MFA solution) - then and again only then - IT support teams are less likely to be solicited from end-users for password resets. For sure, end-users are unlikely to make a mistake with a simple knowledge factor such as a PIN code to be remembered. It’s a win-win for users and support teams.

Overcome password security issues

Once again, this is the case only when going for a passwordless authentication that is natively 2-factor. IT administrators and CISOs can avoid the common issues encountered when it comes to password security (weak passwords, sharing credentials, reusing the same password across multiple accounts and systems, etc.).

With inWebo, it also improves user experience

While some MFA solutions will send OTP by push notification or SMS to users, asking them to retype and enter it in their login window, inWebo MFA generates and validates OTPs in a way that improves the users login experience. Indeed, the solution will silently generate and validate the OTP, in a transparent way for the user, allow him/her to have a simple and passwordless login experience.

Don't settle for just any MFA solution

Get in touch for a demo or to request a free trial of our multifactor authentication solution

Highest level of security on the market

inWebo MFA features the unique and patented technology of dynamic random keys. This ensures the highest level of security on the market. Solution certified by the French National Cybersecurity Agency (ANSSI).

Easy integration and deployment

Accessible in Saas, rich in connectors, API and SDK, a solution that adapts to your technical architecture, without imposing new constraints. Deploy MFA quickly and on a very large scale, without human contact or logistics.

Passwordless and deviceless user experience

inWebo allows you to offer a simplified user experience, extended to all dimensions of authentication, from enrollment to login thanks to its universal, passwordless and deviceless tokens.

Receive all the latest news on strong authentication

White Paper: The ABCs of Authentication

Download our free ebook to fully understand multifactor authentication (MFA), Zero Trust, Passwordless MFA, Devicesless MFA, OTP (One-Time Password) and authentication tokens.

Request a demo