A Guide to One-Time Passwords (OTP)
The last ten years have seen the silent rise of one-time passwords, or OTPs, as a crucial component of internet security. OTPs are commonplace wherever you require an additional layer of authentication and a password. Even so, many people are still unaware of the inner workings of OTPs despite their widespread use. With an explanation of the fundamentals, a list of varieties, and responses to some commonly asked questions regarding OTP usage and administration, this post seeks to clarify common questions about one-time passwords.
We'll start with a brief overview of what exactly an OTP is - a single-use password generated for each login that changes over time. On top of a static password, OTPs provide an additional layer of dynamic verification. The algorithms underlying the most popular OTP types, such as time-based OTP (TOTP), will then be examined. The article will then go on to discuss OTP generation, validity durations, setup procedures, security issues, and other topics. The intention is to provide you with more knowledge about one-time passwords so that the next time you are asked to "enter your OTP code," you will feel more comfortable.
What are the different types of OTPs?
There are several main types of one-time passwords, even though the fundamental idea remains the same. The methods and algorithms used to generate the codes only once define these categories. The three main types are:
Time-based OTP (TOTP) - This is currently the most widely used algorithm due to its support in many authenticator apps. TOTP codes are generated using a cryptographic hash based on the current timestamp along with a shared secret key. Popular apps like Google Authenticator and Microsoft Authenticator use this method.
HMAC-based OTPs - Similar to TOTP but use a hashing method called HMAC (Hash-based Message Authentication Code) instead of raw timestamps. HMAC strengthens TOTP against vulnerabilities like time skew attacks.
Cryptographic OTPs - Rather than basing codes on time or a hash function, these generate codes through asymmetric cryptographic calculations using a private key. Examples include OATH-HOTP and any fob/hardware security keys that don't rely on timestamps.
Within each category, there may be variations, but these three cover the basic principles behind most modern OTP algorithms in use today. Because it is so easy to use and works on so many different platforms, TOTP is the best. Other methods, such as HMAC-OTP, on the other hand, provide alternatives suitable for different threat models or environments.
How do OTP algorithms work?
Fundamentally, all OTP algorithms produce one-time codes by combining a secret key with other variable inputs in a cryptographic computation. This guarantees that every code is exclusive to a single authentication attempt. As an example, let us examine in more detail how the widely used Time-based OTP (TOTP) functions:
TOTP uses the HMAC-SHA1 cryptographic hash function to generate codes. HMAC stands for "Hash-based Message Authentication Code."
The authenticator and validation service jointly possess the secret key, which is encoded as a base32 string.
The authenticator combines the key with the current Unix timestamp, truncated to 30 seconds.
This "message" is hashed using HMAC-SHA1 to output a 160-bit code.
Only 6–8 digits of the hash are used as the single-use password and sent for validation.
Checks are performed within a rolling 30-second window to account for time differences.
How are OTPs generated?
Now that the fundamental algorithms have been clarified, the next question is how end users get their one-time OTP codes. There are two main methods:
Built-in generators - Many authentication services have a time-based OTP generator directly integrated into their apps or websites. A secret key that needs to be scanned or entered into an authenticator app is shown during the 2FA setup process. The shared secret is then used by the app to independently generate codes.
Authenticator apps - Authenticator apps, such as Google Authenticator and Microsoft Authenticator, are standalone OTP client apps that enable the creation of codes for any service that supports TOTP. The app can be provisioned by users by simply scanning or entering the secret keys displayed, and it will then generate codes at the predetermined interval.
Typically, to complete the setup process, a QR code containing the encrypted secret key must be scanned, or if one is not available, the key must be manually entered. Authenticator apps require no internet connection to generate rolling 6-digit codes locally once they are configured.
Provisioning additional devices requires exporting or transferring the key rather than re-enrollment. This flexibility allows users to authenticate from any device with their preferred authenticator client app.
How long are OTP codes valid?
One-time password validity periods have a direct impact on security and usability because time is a variable input in the TOTP algorithm. The objective is to strike a compromise between user convenience and defence against replay attacks.
In most modern TOTP implementations, OTP codes are valid for 30 seconds after generation before becoming invalid and requiring a new code. This 30-second window attempts to strike a compromise between security and usability.
Some services may use somewhat different validity periods (e.g., 60 or 120 seconds) for codes based on user experience priorities and perceived risk levels. As the industry standard for TOTP generation protocols, 30 seconds has gained widespread acceptance.
As both the issuer and the verification systems would need to be updated to accommodate changes in periods, 30 seconds offers interoperability by bringing the expectations of both parties into line. It lasts long enough for multi-step authentication on slower devices without requiring resynchronization, but it is short enough to thwart replay attacks.
The validating party typically allows codes generated within the past 30 seconds and the next 30 seconds to account for minor device time mismatches. As long as devices are roughly synchronised, this rolling 30-second validation window accommodates natural time drift.
Can OTPs be recovered if a device is lost?
If there is no backup or recovery option, losing a device that contains authenticator apps and their stored OTP secret keys can lock users out of crucial accounts. Fortunately, services have taken steps to address this situation.
Restoring OTP setup on new devices is possible by writing down manual codes or keeping an offline backup of secret key QR codes. These backups, which are externally stored from the generated codes themselves, allow users to reenter keys or conduct scans.
Some services support direct key imports versus re-scanning. Centralised solutions like Daito further simplify recovery by hosting account backups in cloud-synced databases accessible from any browser.
Should a reset be required, recovery procedures are available to eliminate previous OTP configurations as well. Physical security keys allow secret keys to be stored offline and portable on detachable devices for critical accounts.
While varying in complexity, options exist to fully recover access even without the originally provisioned device. Proper backups and understanding service recovery workflows empower users to protect accounts through inevitable hardware failures over time.
Conclusion
The principles of one-time passwords were discussed in this post, along with techniques for provisioning authenticator apps, recovering lost devices, and how algorithms like TOTP generate codes securely. While OTPs introduce inconveniences around backups and transfers, their security benefits vastly outweigh the downsides when implemented properly.
Without a centralised 2FA solution, sharing work accounts among employees poses too much risk for many businesses. Tools like Daito, which offer a browser-based shared authenticator with capabilities like account groups, thorough logs, and safely stored backups, can help with that. Daito aims to make secure authentication sharing as seamless as possible for growing companies and distributed workforces.
As remote and hybrid work evolve, solutions that simplify multi-factor authentication across teams will become increasingly important. Services like Daito smooth over OTP management headaches so admins can focus on business priorities, not credentials.