One-time password (OTP) – more security online
Traditional passwords have many weaknesses. This is true even for those that have been carefully chosen and are actually secure passwords. The main problem: If you use a password regularly, there’s a risk that unauthorized users can gain access to your password. This often happens during replay attacks in which the password is intercepted and then reused by unauthorized users for authentication.
Sometimes it doesn’t matter how careful you are: In recent years, even well-known online services have been repeatedly targeted in cyberattacks that caused thousands of customer data to fall into the wrong hands.
How can you protect yourself from this? One strategy is to change your password at regular intervals. However, you don’t want to have to change your passwords every day. Another solution that’s much easier to implement is to use a one-time password.
SSL certificates from IONOS
Protect your domain and gain visitors' trust with an SSL-encrypted website!
What is a one-time password?
A one-time password is a password that can be used once and then expires. One-time passwords are often referred to by their abbreviation OTP and are sometimes also called OTP codes.
A one-time password usually consists of an alphanumeric OTP code (letters and numbers) and is generated for a single login session. Once you’ve logged in with a one-time password, it expires and cannot be used for the next login session.
One-time passwords are often used for two-factor authentication in areas such as online banking, but they are now increasingly being used by companies, too. In the first step, you enter your usual login credentials. Then you generate a dynamic one-time password, which is also required for OTP authentication, using a tool such as a security token.
This additional step ensures much greater security. If unauthorized users gain access to your usual password during this login process, they still won’t have the dynamic one-time password, which is generated only as needed for a single login. For this reason, more and more online services are beginning to use two-factor authentication, especially when it comes to sensitive data.
Don’t confuse the abbreviation OTP for one-time password with one-time pad, which is also abbreviated OTP. One-time pad is another encryption technique that is considered very secure, but it’s much more complex to implement than the one-time password technique.
How does an OTP password work?
For a one-time password to work, the user and the system in which it is used must know the password. There are two different methods to ensure this:
Password list
A password list is the easiest way to use one-time passwords. This is a ready-made list of passwords that are known to both the user and the system. If one of these one-time passwords is used, the user simply deletes it from the list.
The disadvantage of this method is obvious: If someone loses the list, unauthorized users could gain access to the passwords. While these lists of one-time passwords are still sometimes used in online banking, more and more providers are switching to dynamically generated OTP passwords for the reason explained above.
Dynamically generated passwords
Today, dynamic one-time passwords are the most commonly used method. Hardware tokens are widely used for generating passwords on the fly. These small devices come in different forms such as key fobs or keypad devices.
These devices are also called OTP tokens. What they all have in common is that they usually have a display and generate one-time passwords for a login session at the push of a button. Passwords generated by these devices are often entered together with other authentication factors such as PINs or user IDs.
A special algorithm is used to generate a dynamic password on the fly. There are three different algorithm options:
- Time-based
- Event-based
- Challenge-response
Time-based
With this method, the security token (client) and server create synchronized passwords using the same algorithm. This type of time-based one-time password (TOTP) is therefore known on the user side and the server side and is valid for a precisely defined time interval, usually 1 to 15 minutes.
Event-based
Event-based one-time passwords are generated by performing a specific action, for example by pressing a button on the security token. As with the time-based method, the same algorithm is used on the server side and the user side. The password is calculated based on the previous password so it can be validated by the server.
Challenge-response based
In this method, the server specifies a request (challenge), which the client must answer (response). The client receives a certain value from the server and uses it to calculate the one-time password. Since the server knows the algorithm and the specified value, it can check the generated password.
When does it make sense to use one-time passwords?
One-time passwords are recommended for all online services and websites that involve highly sensitive and important data. Examples include:
- Online banking
- Financial services such as online stock portfolios or cryptocurrency exchanges
- Sensitive company data
- Confidential channels of communication
You don’t need a one-time password for every website. However, you should always be sure to use secure passwords, even if you use a password multiple times. Research has shown that, despite the steady increase in cybercrime, many users still have insufficient security awareness.
Aside from the OTP method, there are some other exciting methods that ensure greater security and that could become even more important in the future. Examples include the new WebAuthn standard, which could completely eliminate the need to remember passwords.
Pros and cons of one-time passwords at a glance
| Advantages | Disadvantages |
|---|---|
| Difficult to crack during replay attacks | Additional technology needed |
| No danger that a stolen password can be used for multiple sites or services | Security tokens can fail or break |
| Greater security for users | Process of OTP password generation can be cumbersome |
HiDrive Cloud Storage with IONOS!
Based in Europe, HiDrive secures your data in the cloud so you can easily access it from any device!
Related articles
iTAN, mTAN, chipTAN? An overview of all TAN procedures
Security in online banking has always been a cornerstone of the industry – TAN procedures like chipTAN are what make it possible. However, there are also many other variants of this two-factor authentication system that can be used to protect your banking transactions. As they say, a chain is only as strong as its weakest link – and in this case, it’s the user. Find out which TAN procedures are…
1Password alternatives: the best password managers
Password managers are extremely practical tools to help remember the passwords for the many online accounts you may have. They usually work via browser extensions or desktop apps, and are available across most operating systems. Among the many password managers, 1Password has established itself as a solid tool for many users. However, 1Password is relatively expensive and there are doubts about…
wk1003mikeShutterstock Password-Manager | Overview and Comparsion
Would you give your account number to a stranger? Most probably not. But millions of internet users may as well be giving away their personal data (and money!) when using passwords that hackers can crack in a matter of seconds. Password managers provide methods for creating and managing truly secure passwords.
Encryption software and tools in comparison
A good encryption software keeps your data secure. It enables you to easily protect a folder, hide hard drives, or sync encrypted data to a cloud, for example. Find out more information about recommended encryption tools and what they do, and get an overview of their advantages and disadvantages in our dedicated article.