One-time password (OTP) – more security online

Traditional passwords have many weaknesses. This is true even for those that have been carefully chosen and are actually secure passwords. The main problem: If you use a password regularly, there’s a risk that unauthorized users can gain access to your password. This often happens during replay attacks in which the password is intercepted and then reused by unauthorized users for authentication.

Sometimes it doesn’t matter how careful you are: In recent years, even well-known online services have been repeatedly targeted in cyberattacks that caused thousands of customer data to fall into the wrong hands.

How can you protect yourself from this? One strategy is to change your password at regular intervals. However, you don’t want to have to change your passwords every day. Another solution that’s much easier to implement is to use a one-time password.

A one-time password is a password that can be used once and then expires. One-time passwords are often referred to by their abbreviation OTP and are sometimes also called OTP codes.

A one-time password usually consists of an alphanumeric OTP code (letters and numbers) and is generated for a single login session. Once you’ve logged in with a one-time password, it expires and cannot be used for the next login session.

One-time passwords are often used for two-factor authentication in areas such as online banking, but they are now increasingly being used by companies, too. In the first step, you enter your usual login credentials. Then you generate a dynamic one-time password, which is also required for OTP authentication, using a tool such as a security token.

This additional step ensures much greater security. If unauthorized users gain access to your usual password during this login process, they still won’t have the dynamic one-time password, which is generated only as needed for a single login. For this reason, more and more online services are beginning to use two-factor authentication, especially when it comes to sensitive data.

For a one-time password to work, the user and the system in which it is used must know the password. There are two different methods to ensure this:

A password list is the easiest way to use one-time passwords. This is a ready-made list of passwords that are known to both the user and the system. If one of these one-time passwords is used, the user simply deletes it from the list.

The disadvantage of this method is obvious: If someone loses the list, unauthorized users could gain access to the passwords. While these lists of one-time passwords are still sometimes used in online banking, more and more providers are switching to dynamically generated OTP passwords for the reason explained above.

Today, dynamic one-time passwords are the most commonly used method. Hardware tokens are widely used for generating passwords on the fly. These small devices come in different forms such as key fobs or keypad devices.

These devices are also called OTP tokens. What they all have in common is that they usually have a display and generate one-time passwords for a login session at the push of a button. Passwords generated by these devices are often entered together with other authentication factors such as PINs or user IDs.

A special algorithm is used to generate a dynamic password on the fly. There are three different algorithm options:

• Time-based
• Event-based
• Challenge-response

With this method, the security token (client) and server create synchronized passwords using the same algorithm. This type of time-based one-time password (TOTP) is therefore known on the user side and the server side and is valid for a precisely defined time interval, usually 1 to 15 minutes.

Event-based one-time passwords are generated by performing a specific action, for example by pressing a button on the security token. As with the time-based method, the same algorithm is used on the server side and the user side. The password is calculated based on the previous password so it can be validated by the server.

In this method, the server specifies a request (challenge), which the client must answer (response). The client receives a certain value from the server and uses it to calculate the one-time password. Since the server knows the algorithm and the specified value, it can check the generated password.

One-time passwords are recommended for all online services and websites that involve highly sensitive and important data. Examples include:

• Online banking
• Financial services such as online stock portfolios or cryptocurrency exchanges
• Sensitive company data
• Confidential channels of communication

You don’t need a one-time password for every website. However, you should always be sure to use secure passwords, even if you use a password multiple times. Research has shown that, despite the steady increase in cybercrime, many users still have insufficient security awareness.