What is OTP? How one-time password works.

Ashok Nayak

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC), or dynamic password, is a password that is valid for only one login session or transaction on a computer system. Is. other digital devices. OTPs avoid many of the drawbacks associated with traditional (static) password-based authentication; Many implementations also include two-factor authentication, by ensuring that a one-time password requires a person to have access to something (such as a small keyring fob device with an OTP calculator, or a smartcard or specific cellphone) as well as what a person knows (such as a PIN). (what is OTP read in Hindi)

OTP generation algorithms typically use pseudo-randomness or randomness to generate a shared key or seed, and cryptographic hash functions, which can be used to derive the value but are difficult to reverse and therefore can be used for attackers. It is difficult to obtain the data used for the hash. This is necessary because otherwise, it will be easy to predict the future OTPs by looking at the past OTPs.

OTP has been discussed as a potential replacement for traditional passwords as well as an enhancer. On the downside, OTPs can be intercepted or resent, and hard tokens can be lost, damaged, or stolen. Many systems that use OTPs do not implement them securely, and attackers can still learn passwords through phishing attacks to impersonate an authorized user.

Table of content (TOC)

What is OTP? How one-time password works. Features, generation of OTPs, Implementations, Security of OTP, Standardization, Use Of OTP, Expansion

Features OTP One-Time-Password

The most important advantage addressed by OTPs is that, unlike static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or make a transaction will not be able to access it, as it will no longer be valid. . The second major advantage is that a user who uses the same (or similar) password for multiple systems is not made vulnerable on all of them if the password for one of them is obtained by an attacker. The purpose of many OTP systems is also to ensure that a session cannot be easily intercepted or impersonated without knowledge of unexpected data created during the previous session, thus further reducing the attack surface.

There are also various ways to make the user aware to use the next OTP. Some systems use special electronic security tokens that the user holds and which generate OTPs and displays them using a small display. Other systems have software that runs on the user's mobile phone. Still, other systems generate OTPs on the server-side and send them to the user using out-of-band channels such as SMS messaging. Lastly, in some systems, the OTP is printed on paper which needs to be carried by the user.

In some mathematical algorithmic schemes, it is possible to provide a static key to the server for use as an encryption key, by simply sending a one-time password to the user.

generation of OTPs One-time-passwords

Concrete OTP algorithms vary greatly in their details. Various approaches to generate OTP include:

  • Based on time-synchronization between the authentication server and the client providing the password (OTPs are only valid for a short period of time)
  • Using a mathematical algorithm to generate a new password based on the previous password (OTP is effectively a series and must be used in a predefined order).
  • Using mathematical algorithms where the new password is based on a challenge (eg, a random number chosen by the authentication server or transaction details) and/or a counter.

Time-synchronized OTP One-time-passwords

A time-synchronized OTP is usually associated with a piece of hardware called a security token (for example, each user is given an individual token that generates a one-time password). It might look like a small calculator or keychain charm, with an LCD that shows a number that changes occasionally. Inside the token is an accurate clock that is synchronized with the clock on the proprietary authentication server. On these OTP systems, time is an important part of the password algorithm, as the generation of new passwords is based on the current time in addition to, rather than or in addition to, the previous password or secret key. This token can be a proprietary device, or a mobile phone, or a similar mobile device that runs proprietary, freeware, or open-source software. An example of a time-synchronized OTP standard is the Time-Based one-time password (TOTP). Some applications can be used to keep time-synchronized OTPs, such as Google Authenticator or Password Manager.

Hash chains OTP One-time-passwords

Each new OTP can be generated from the previous OTP used. An example of this type of algorithm, attributed to Leslie Lamport, uses a one-way function (call it f). This one-time password system works as follows:

  • A seed (starting value) s is chosen.
  • A hash function f(s) is applied to the seed repeatedly (for example, 1000 times), giving a value of: f(f(f( .... f(s) ... .))). This value, which we will call f1000, is stored on the target system.
  • The user's first login uses a password p which is obtained by applying f to the seed 999 times, i.e. f999(s). The target system can verify that this is the correct password because f(p) is f1000(s), which is the stored value. The stored value is then replaced with p and the user is allowed to log in.
  • The next login should be with f998(s). Again, this can be validated because hashing gives f999(s) which is p, the value stored since the last login. Again, the new value replaces p and the user is authenticated.

This can be repeated another 997 times, each time the password will be applied one less time, and is verified by checking that when hashed, it returns the value stored during the previous login. Hash functions are designed to be extremely difficult to reverse, so an attacker would need to know the initial seed to calculate a possible password, while the computer system could verify the password at any given time, it Validated by checking that when hashed, it returns the value previously used for login. If an indefinite range of passwords is required, a new seed value may be chosen after the set for s is exhausted.

To get the next password in the series from the previous password, one needs to find a way to calculate the inverse function f-1. Since f was chosen to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is usually the case, then it is considered a computationally difficult function. An intruder who sees a one-time password may have a time period or access to the login, but after that period expires it becomes useless. The S/KEY one-time password system and its derivative OTP are based on Lamport's scheme.

Challenge-response OTP One-time-passwords

Challenge-response The use of a one-time password requires the user to respond to a challenge. For example, this can be done by inputting the value that the token has generated in the token itself. To avoid duplicates, an additional counter is usually involved, so if someone receives the same challenge twice, it results in different one-time passwords. However, the calculation does not usually include previous one-time passwords; That is, usually, instead of using both algorithms, one or another algorithm is used.

Implementations Of OTP One-time-passwords


A common technique used for the delivery of OTP is text messaging. Since text messaging is a ubiquitous communication channel, available directly in almost all mobile handsets and via text-to-speech conversion, on any mobile or landline telephone, text messaging has the potential to reach all consumers with a low total cost. Has huge potential. Applicable. OTPs over text messaging can be encrypted using the A5/x standard, which many hacking groups report can be successfully decrypted within minutes or seconds. 

Additionally, security flaws in the SS7 routing protocol could and could be used to redirect attackers to related text messages; In 2017, several O2 customers in Germany were breached to gain access to their mobile banking accounts. 

In July 2016, the US NIST issued a draft special publication with guidance on authentication practices, discouraging the use of SMS as a method of implementing out-of-band two-factor authentication, as SMS can be intercepted. on a scale of. 

Text messages are also vulnerable to SIM swap scams – in which an attacker fraudulently transfers the victim's phone number to his own SIM card, which can be used to gain access to messages being sent to him. Is.

Hardware tokens

RSA Security's SecurID is an example of a time-synchronization type-token alongside HID Global's solutions. Like all tokens, they can be lost, damaged, or stolen; Additionally, there is an inconvenience as the battery dies, especially for tokens without a recharging feature or with a non-replaceable battery. A variant of the proprietary token was proposed by RSA in 2006 and described as "ubiquitous authentication", in which RSA would partner with manufacturers to add physical SecurID chips to devices such as mobile phones.

Recently, it has become possible to take the electronic components associated with a regular keyfob OTP token and embed them in a credit card form factor. However, the card's thinness, 0.79 mm to 0.84 mm thick, precludes the use of standard components or batteries. Special polymer-based batteries must be used that has a much shorter battery life than coin (button) cells. Semiconductor components must not only be very flat but also reduce the power used while on standby and in operation.

Yubico offers a small USB token with an embedded chip that generates an OTP when a key is pressed and simulates a keyboard to facilitate easy entering a long password. Since this is a USB device, it avoids the inconvenience of changing the battery.

A newer version of this technology has been developed that embeds a keypad into payment cards of standard size and thickness. The card has an embedded keypad, display, microprocessor, and proximity chip.

Soft tokens OTP One-time-passwords

On smartphones, one-time passwords can also be delivered directly via mobile apps, including dedicated authentication apps like Authy and Google Authenticator, or in the case of a service's existing apps, such as Steam. These systems do not share the same security vulnerabilities as SMS and do not necessarily require a connection to a mobile network to be used.

Hard copies of OTPs 

In online banking in some countries, the bank sends a numbered list of OTPs to the user which is printed on paper. Other banks send plastic cards in which the original OTP is hidden by a layer which the user has to scratch to reveal a numbered OTP. For each online transaction, the user is required to enter a unique OTP from that list. Some systems ask for numbered OTPs sequentially, others pseudo-randomly choose an OTP to be entered.

Security of OTP One-time-passwords

When implemented correctly, OTPs are no longer useful to an attacker within a short time of their initial use. This is different from passwords, which can still be useful to attackers years after the fact.

As with passwords, OTPs are vulnerable to social engineering attacks, in which phishers steal OTPs by tricking customers into providing them with their OTPs. Like passwords, OTPs can also be vulnerable to man-in-the-middle attacks, making it important to communicate them through a secure channel, for example, Transport Layer Security.

The fact that both Password and OTP are vulnerable to similar types of attacks was a major impetus for Universal Second Factor, which is designed to be more resistant to phishing attacks.

OTPs that do not include a time-synchronization or challenge-response component will have a long window of vulnerability if compromised before their use. In late 2005 the customers of a Swedish bank were tricked into giving them their pre-supplied one-time passwords. In 2006 such an attack was used on customers of a US bank.

Standardization Of OTP One-time-passwords

Many OTP technologies are patented. This makes standardization more difficult in this area, as each company tries to advance its technology. However, standards do exist - for example, RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP) and RFC 6238 (TOTP).

Use Of OTP One-time-passwords

Mobile phone

A mobile phone itself can be a hand-held authentication token. Mobile text messaging is one of the ways to achieve OTAC via mobile phone. In this way, a service provider sends a text message that includes an OTAC encrypted by a digital certificate to the user for authentication. According to a report, mobile text messaging offers higher security when it uses public key infrastructure (PKI) to provide bidirectional authentication and non-repudiation, according to theoretical analysis.

SMS Banking, as a method of obtaining OTAC, is widely used in our daily life for credit/debit cards and security purposes.


There are two ways to use the telephone to verify the user's authentication.

With the first method, a service provider displays an OTAC on a computer or smartphone screen and then makes an automated telephone call to a number that has already been authenticated. The user then enters the OTAC that appears on their screen in the telephone keypad.

With the second method, which is used to authenticate and activate Microsoft Windows, the user calls a number that is provided by the service provider and enters the OTAC that the phone system gives to the user.


In computer technology, it is known that a one-time authorization code (OTAC) via email is used in a broader sense, and a one-time authorization code (OTAC) via web application is used in a more professional sense.

Email is one of the common ways to use OTAC. Two main methods are used. With the first method, a service provider sends a personalized one-time URL to an authenticated email address eg. @ucl.ac.uk, When the user clicks on the URL the server authenticates the user. With the second method, a service provider sends a personal OTAC (eg an encrypted token) to an authenticated email address. The server authenticates the user when the user types the OTAC into the website.

A web application can generate a unique personal identification number (PIN) that the user can input into a desktop client, the desktop client, in turn, uses that code to authenticate to the web application. This form of authentication is particularly useful in web applications that do not have an internal username/password store but instead use SAML for authentication. Because SAML only works within the browser, a desktop-based web application client cannot successfully authenticate using SAML. Instead, the client application can use a one-time authorization code (OTAC) to authenticate itself to the web application. In addition, when a third-party application needs to have limited access to an HTTP service, it is possible to use the OAuth authorization framework.


It is possible to send to a user via OTAC post or registered mail. When a user requests OTAC, the service provider sends it through post or registered mail and then the user can use it for authentication. For example, in the UK, some banks send their OTAC to the Internet Banking Authority via post or registered mail.

Expansion of OTP One-time-passwords

Quantum cryptography, which is based on the uncertainty principle, is one of the ideal methods for producing OTAs.

Furthermore, it has been discussed and used not only for authentication using an encrypted code but also using QR codes such as Graphical One Time PIN Authentication which provides decentralized access control with anonymous authentication. technology provides.

See also

Google Authenticator
Initiative For Open Authentication
Key-agreement protocol
One-time pad
Personal identification number
Public Key Infrastructure
QR Code
Security token
Time-based One-time Password algorithm
Two-factor authentication
OTP Bypass

Various Info Conclusion

So friends, how did you like our post! Don't forget to share this with your friends, below Sharing Button Post.  Apart from this, if there is any problem in the middle, then don't hesitate to ask in the Comment box. If you want, you can send your question to our email Personal Contact Form as well.  We will be happy to assist you. We will keep writing more posts related to this. So do not forget to bookmark (Ctrl + D) our blog `Various Info` on your mobile or computer and subscribe to us now to get all posts in your email. If you like this post, then do not forget to share it with your friends.  You can help us reach more people by sharing it on social networking sites like WhatsApp, Facebook, or Twitter.  Thank you!

Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you liked the information of this article, then please share your experience by commenting. This is very helpful for us and other readers. Thank you

If you liked the information of this article, then please share your experience by commenting. This is very helpful for us and other readers. Thank you

Post a Comment (0)

Our website uses cookies to enhance your experience. Learn More
Accept !

Adblocker detected! Please consider reading this notice.

We've detected that you are using AdBlock Plus or some other adblocking software which is preventing the page from fully loading.

We don't have any banner, Flash, animation, obnoxious sound, or popup ad. We do not implement these annoying types of ads!

We need money to operate the site, and almost all of it comes from our online advertising.