Most consumers now recognize (and expect to use) two-factor authentication as the most secure way to protect their accounts from unauthorized access, but they prefer a frictionless login experience whenever possible. One-time passwords provide the best of both worlds, offering both the consumer and the company with which they’re doing business a quick and easy way to confirm that they’re the true owner of an account.
What is OTP?
Also known as a one-time PIN or OTP code, one-time passwords are usually six-digit, algorithmically generated codes that businesses send to customers trying to log into their accounts. Customers use these single-use passwords, typically in addition to their regular login credentials, to easily verify their identity to the company.
Widespread adoption of OTPs began in the financial services industry, but amid growing cyber security threats, its use has spread to many other sectors. It’s now common to find OTPs when logging into email accounts, retail websites, social media platforms, and streaming services.
How Does an OTP Work?
One-time passwords typically work alongside a standard login with a static password. After the customer attempts to log into an account the business automatically sends them an additional code that they can use to further verify their identity. Some companies just use one-time passwords in place of a standard password and log in. The numeric or alphanumeric codes are valid for only one log-in session.
There are two main kinds of OTPs: HMAC-based one-time passwords (HOTP) and time-based one-time passwords (TOTPs). While HOTPs and TOTPs have some similarities, there are also some important differences to understand. Here’s what you need to know:
HOTPs use hash-based message authentication codes (HMAC) to generate the one-time passwords that businesses send to consumers to confirm their identities. Essentially, this is an algorithm that creates a unique code for each request, using a counter. The code remains valid until the user requests another one. HOTPs were the first form of OTPs. Since they don’t have strict time limits for use, HOTPs can offer a better user experience, but they’re also a bit less secure than TOTPs to a brute force attack.
TOTPs work similarly to HOTPs, but instead of using an incremental counter as part of the password-generating algorithm, it uses a current timestamp. This means that the TOTP is only valid for a small period of time, often a few minutes. That makes TOTPs a bit more secure than HOTPS, but they’re slightly less convenient for the end-user, since the code may become invalid if they don’t receive it or use it quickly enough.
How are OTPs Generated?
OTPs are generated automatically using algorithms based on either a counter-based or a time-based variable depending on whether it’s an HOTP or a TOTP. Some websites generate and require an OTP every time a user logs in, while others allow users to set their devices to automatically recognize them and require the OTP as a security measure less frequently. In that case, the website might only ask the user for an OTP after a certain period of time has passed since their last login.
Benefits of a One-Time Password for Businesses
There are many benefits to businesses using an OTP, in addition to a static password as part of the login process. These include:
- Increased security. Two-factor authentication is inherently more secure than using standard passwords. OTPs can’t be used in a replay attack. Since OTPs become invalid shortly after they’re generated, OTPs are worthless to hackers.
- Low cost. When executed correctly, OTPs offer a simple, user-friendly experience, and they’re relatively low cost.
- Ease of use. OTPs make it easier for individuals to log into their accounts, even if they’ve forgotten their password.
- Improved efficiencies. In addition to improving the user experience, that can free up IT staff to focus on other projects.
- Hacker proof. Since they’re randomly generated by an algorithm, it is impossible for hackers to guess an OTP using social engineering or to figure it out using brute force.
- Decreased risk. If a user’s credentials get leaked in a data breach, there’s less risk since criminals can’t use them without the OTP. OTPs also reduce the security risk for users who reuse passwords, a common - though inadvisable - practice.
- Assurance and credibility. OTPs have become widely used, meaning they’re a proven technology in terms of both security and usability. Their use may also give customers reassurance that the company is taking security seriously.
An OTP Example
In practice, companies such as banks or retailers typically have five steps to be taken using OTPs.
- Step 1: The customer requests access to their account by entering a username and password on the login page to access their account.
- Step 2: If the company recognizes the login information but not the device (or the customer has not enabled device recognition), the company asks the user if they can send an OTP via text message (SMS), phone, or email using contact information they already have on file for that account.
- Step 3: The customer consents to using an OTP and looks for it via the channel they’ve chosen. An algorithm generates either an HOTP or a TOTP for this specific instance and sends it to the customer, usually within a minute.
- Step 4: The customer types or copies and pastes the OTP into the login screen along with their other credentials and gains access to their account.
- Step 5: The OTP expires within a set period (often a few minutes) or after the user enters it, making it useless to anyone else who accesses it later.
How to Deliver an OTP
There are several different methods that companies can use to deliver OTPs to their customers or users. These can include physical key fobs, dedicated apps, and push notifications. But today we are going to dive deeper into the following frequently-used methods of delivery that take advantage of a more widespread audience: text messages, email and phone calls.
SMS message delivery is the most common method used by companies to deliver OTPs to their consumers. That’s because text messages are the fastest, easiest, and most reliable way to deliver a time-sensitive message in a way that’s also safe and secure.
While some consumers like email there can be challenges with delivery delays. It may also require consumers to complete an additional step by opening up or logging into a specific email account. It can also be easy to lose an emailed OTP in a crowded inbox.
Automated voice phone calls can be a fast way to deliver an OTP, but consumers may face more cumbersome roadblocks in using the code, like finding a way to manually write it down so that they don’t forget it. In addition, if the consumer has trouble hearing or is in an area with poor reception, they may take down an incorrect OTP and have to restart the process. If in an area with no reception, a consumer may never receive an OTP at all.
How Vibes Can Help
Vibes specializes in helping connect companies with their customers through a range of powerful mobile communication channels, including text messaging. As a Tier-1 aggregator that specializes in mobile messaging, you can be sure that your OTP—along with any other SMS messages—will successfully arrive to your customers within seconds.
Vibes is one of only four companies that is a Tier 1 aggregator, which means we have direct connections to all of the U.S. wireless carriers. For marketers, this means that we successfully deliver messages like OTPs within seconds, since we do not have additional companies in the middle of the delivery process handling messages from all over the country, which slows processing times and causes delays, queueing and other unseen impacts to message delivery.
We’ve been a trusted partner to the carriers and enterprise brands for more than 20 years, providing around-the-clock technical support and assistance 24/7/365. In addition to speed, less cooks in the message-delivery kitchen has helped our customers save on a lot of expenses they’d otherwise incur with non-Tier 1 aggregators.
OTP: The Bottom Line
OTP is an extremely safe way for companies to validate the identity of their users through a quick and easy process that provides an added layer of security for customer verification. As cyber security becomes even more important, companies that can effectively use OTPs to improve their account security and the experience of their users will find themselves at a competitive advantage over their peers.
OTPs are a proven technology with many benefits, including enhanced security, reduced risk, and data protection. There are two main types of OTPs, HOTPs and TOTPs, which use different methods to randomly generate the codes sent to users. One generated, there are many ways that companies can send OTPs to customers, but the most commonly used media is by text message.
SMS-based OTP allows you to meet customers where they are (because they’re never far from their phone), bolstering your company’s reputation as a security-focused, user-friendly organization. If you’re ready to start using OTP, we’re ready to help! Contact us now to find out how we can support you with OTP and all your other mobile messaging needs.