One-Time Password (OTP)
OTP stands for "One-Time Password." It is a unique, temporary password or code that is used for a single login session or transaction. OTPs provide an additional layer of security (often referred to as Multi-Factor Authentication (MFA)|two-factor authentication or 2FA) beyond just a username and password. They are designed to combat various forms of online attacks such as phishing, credential theft, and Brute Force Attack|brute-force attacks.
An OTP is typically valid for only a short period of time, often a few minutes, after which it expires and cannot be used. Each OTP is unique to a specific transaction or login session.
OTPs can be generated in various ways, including:
- Algorithm-Based: Generated using algorithms (like HMAC-based One-Time Password (HOTP) or Time-based One-Time Password (TOTP)) which can synchronize between the server and the user's device.
- SMS or Email: Sent to the user's registered phone number or email address.
- Hardware Tokens: Generated by a dedicated physical device (like a security token).
- Software Tokens: Generated by an authentication app on the user's smartphone (such as Google Authenticator or Authy).
OTPs add an extra security layer, making it more difficult for attackers to gain unauthorized access, even if they have the user’s primary password. Since an OTP is only valid for one login session or transaction, it cannot be reused by an attacker.