One-time password (OTP) – more security online
Traditional passwords have many weaknesses. This is true even for those that have been carefully chosen and are actually secure passwords. The main problem: If you use a password regularly, there’s a risk that unauthorised users can gain access to your password. This often happens during replay attacks in which the password is intercepted and then reused by unauthorized users for authentication.
Sometimes it doesn’t matter how careful you are: In recent years, even well-known online services have been repeatedly targeted in cyberattacks that caused thousands of customer data to fall into the wrong hands.
How can you protect yourself from this? One strategy is to change your password at regular intervals. However, you don’t want to have to change your passwords every day. Another solution that’s much easier to implement is to use a one-time password.
- Secures data transfers
- Avoids browser warnings
- Improves your Google ranking
What is a one-time password?
A one-time password is a password that can be used once and then expires. One-time passwords are often referred to by their abbreviation OTP and are sometimes also called OTP codes.
A one-time password usually consists of an alphanumeric OTP code (letters and numbers) and is generated for a single login session. Once you’ve logged in with a one-time password, it expires and cannot be used for the next login session.
One-time passwords are often used for two-factor authentication in areas such as online banking, but they are now increasingly being used by companies, too. In the first step, you enter your usual login credentials. Then you generate a dynamic one-time password, which is also required for OTP authentication, using a tool such as a security token.
This additional step ensures much greater security. If unauthorised users gain access to your usual password during this login process, they still won’t have the dynamic one-time password, which is generated only as needed for a single login. For this reason, more and more online services are beginning to use two-factor authentication, especially when it comes to sensitive data.
Don’t confuse the abbreviation OTP for one-time password with one-time pad, which is also abbreviated OTP. One-time pad is another encryption technique that is considered very secure, but it’s much more complex to implement than the one-time password technique.
How does an OTP password work?
For a one-time password to work, the user and the system in which it is used must know the password. There are two different methods to ensure this:
Password list
A password list is the easiest way to use one-time passwords. This is a ready-made list of passwords that are known to both the user and the system. If one of these one-time passwords is used, the user simply deletes it from the list.
The disadvantage of this method is obvious: If someone loses the list, unauthorised users could gain access to the passwords. While these lists of one-time passwords are still sometimes used in online banking, more and more providers are switching to dynamically generated OTP passwords for the reason explained above.
Dynamically generated passwords
Today, dynamic one-time passwords are the most commonly used method. Hardware tokens are widely used for generating passwords on the fly. These small devices come in different forms such as key fobs or keypad devices.
These devices are also called OTP tokens. What they all have in common is that they usually have a display and generate one-time passwords for a login session at the push of a button. Passwords generated by these devices are often entered together with other authentication factors such as PINs or user IDs.
A special algorithm is used to generate a dynamic password on the fly. There are three different algorithm options:
- Time-based
- Event-based
- Challenge-response
Time-based
With this method, the security token (client) and server create synchronised passwords using the same algorithm. This type of time-based one-time password (TOTP) is therefore known on the user side and the server side and is valid for a precisely defined time interval, usually 1 to 15 minutes.
Event-based
Event-based one-time passwords are generated by performing a specific action, for example by pressing a button on the security token. As with the time-based method, the same algorithm is used on the server side and the user side. The password is calculated based on the previous password so it can be validated by the server.
Challenge-response based
In this method, the server specifies a request (challenge), which the client must answer (response). The client receives a certain value from the server and uses it to calculate the one-time password. Since the server knows the algorithm and the specified value, it can check the generated password.
When does it make sense to use one-time passwords?
One-time passwords are recommended for all online services and websites that involve highly sensitive and important data. Examples include:
- Online banking
- Financial services such as online stock portfolios or cryptocurrency exchanges
- Sensitive company data
- Confidential channels of communication
You don’t need a one-time password for every website. However, you should always be sure to use secure passwords, even if you use a password multiple times. Research has shown that, despite the steady increase in cybercrime, many users still have insufficient security awareness.
Aside from the OTP method, there are some other exciting methods that ensure greater security and that could become even more important in the future. Examples include the new WebAuthn standard, which could completely eliminate the need to remember passwords.
Pros and cons of one-time passwords at a glance
| Advantages | Disadvantages | 
|---|---|
| Difficult to crack during replay attacks | Additional technology needed | 
| No danger that a stolen password can be used for multiple sites or services | Security tokens can fail or break | 
| Greater security for users | Process of OTP password generation can be cumbersome | 
- Store, share and edit data easily
- ISO-certified European data centres
- Highly secure and GDPR compliant

