One-time password

OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).

OTP generation algorithms typically make use of pseudorandomness or randomness to generate a shared key or seed, and cryptographic hash functions, which can be used to derive a value but are hard to reverse and therefore difficult for an attacker to obtain the data that was used for the hash.

On the downside, OTPs can be intercepted or rerouted, and hard tokens can get lost, damaged, or stolen.

[1] The most important advantage addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks.

This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to use it, since it will no longer be valid.

Some systems use special electronic security tokens that the user carries and that generate OTPs and show them using a small display.

Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging.

To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords.

Because text messaging is a ubiquitous communication channel, being directly available in nearly all mobile handsets and, through text-to-speech conversion, to any mobile or landline telephone, text messaging has a great potential to reach all consumers with a low total cost to implement.

OTP over text messaging may be encrypted using an A5/x standard, which several hacking groups report can be successfully decrypted within minutes or seconds.

[4][5][6][7] Additionally, security flaws in the SS7 routing protocol can and have been used to redirect the associated text messages to attackers; in 2017, several O2 customers in Germany were breached in this manner in order to gain access to their mobile banking accounts.

it has become possible to take the electronic components associated with regular keyfob OTP tokens and embed them in a credit card form factor.

[citation needed] Yubico offers a small USB token with an embedded chip that creates an OTP when a key is pressed and simulates a keyboard to facilitate easily entering a long password.

A new version of this technology has been developed that embeds a keypad into a payment card of standard size and thickness.

These systems do not share the same security vulnerabilities as SMS, and do not necessarily require a connection to a mobile network to use.

OTPs which don't involve a time-synchronization or challengeā€“response component will necessarily have a longer window of vulnerability if compromised before their use.

In late 2005 customers of a Swedish bank were tricked into giving up their pre-supplied one-time passwords.

In this way, a service provider sends a text message that includes an OTAC enciphered by a digital certificate to a user for authentication.

[19] SMS as a method of receiving OTACs is broadly used in our daily lives for purposes such as banking, credit/debit cards, and security.

With the first method, a service provider shows an OTAC on the computer or smartphone screen and then makes an automatic telephone call to a number that has already been authenticated.

MasterCard SecureCode uses OTAC to confirm a user's identity
One time authorization code as used in Yammer 's desktop client
RSA SecurID security tokens .
Example of soft token .
Paper-based OTP.