A one-time password (OTP) or one-time PIN or dynamic password is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session.
A user-created password or static password, particularly one that is weak and/or reused across multiple accounts, is less secure than an OTP. OTPs may be used in place of or in addition to authentication login information to add an extra layer of protection.
Examples of one-time passwords
Microprocessor-based smart cards or pocket-size key fobs that create a numeric or alphanumeric code to authenticate access to a device or transaction are known as OTP security tokens. Depending on how the token is set up, this hidden code changes every 30 or 60 seconds. To create the one-time password for two-step verification, mobile device apps like Google Authenticator depend on the token device and PIN.
How to get a one-time password
An authentication manager on the network server creates a number or shared secret when an unauthenticated user tries to access a system or perform a transaction on a computer, using one-time password algorithms. The authentication token on the smart card or computer uses the same number and algorithm to fit and verify the one-time password and user.
Many businesses use SMS (Short Message Service) to send a text message with a temporary passcode as a second authentication factor After the user enters his username and password on networked information systems and transaction-oriented web applications, the temporary passcode is obtained out of band through cellphone communications.
The benefits of using a one-time password
The one-time password avoids the common password protection traps that IT administrators and security managers face. They don’t have to be concerned with password composition laws, known-bad and poor passwords, credential sharing, or the reuse of the same password across several accounts and systems. Another benefit of one-time passwords is that they expire in minutes, stopping attackers from accessing them.