Close

What is the OTP code and how it works

How to ensure safety with a disposable password, valid only for a single access session or a transaction
What is the OTP code and how it works
Reading time: 2 minutes

Content index

What is an OTP code?

In an increasingly technological and connected world, access and identification via OTP code is one of the most popular methods for registration and authentication. For example, it allows you to make secure online purchases and to use tools such as remote digital signature.

What is the OTP code? OTP stands for One-Time Password. The OTP code is therefore a disposable password, valid only for a single access session or a transaction, which guarantees high security standards and overcomes the problems associated with traditional passwords.

In fact, an OTP code, unlike a static password, is not vulnerable to replay-attacks. These are actions carried out by individuals or organizations against computer systems, infrastructures, computer networks and/or electronic devices in order to steal an authentication credential, transmitted from one host to another, and use it for simulating the user’s identity.

If a potential intruder manages to steal a disposable password – already used to access a service or for a transaction – they will not be able to reuse it because it will no longer be valid.

The OTP code can be the only authentication factor or it can be associated with other elements (e.g. a password or credit card PIN). For example, Two Factor Authentication (2FA) is a security protocol based on the use of two authentication methods to prevent the breach of sensitive data.

A disposable password, unlike a static one, cannot be stored. Therefore, its use requires additional technology, such as a smartphone or a physical token.

The technology behind the OTP code: how do One-Time Passwords work?

An OTP code is a disposable password made up of an alphanumeric code. The code is generated automatically by special devices, called tokens, or sent via SMS, email or smartphone apps.

Each disposable password is generated by applying a cryptographic function to a unique set of values. However, the OTP algorithms are quite different from each other to avoid the risk that a hacker easily predicts a future OTP after analyzing the previous ones.

Here are the different approaches for generating One-Time Passwords:

  • Algorithms based on time synchronization between the authentication server and the client providing the password. In this case, the OTPs are valid only for a short period of time and the value from which the OTP is generated is the current time. Typically, a time synchronization-based OTP code requires a hardware called token. The token is a personal security device with a display and a design similar to a traditional USB key;
  • Mathematical algorithms that generate a new password based on the previous password. The value from which the OTP is generated is a number within a predefined sequence;
  • Mathematical algorithms where the password is linked to a challenge (for example, a random number chosen by the authentication server or from the details of the transaction) and/or on a counter.

TAG