One-time password (OTP) – more security online

Tra­di­tion­al passwords have many weak­ness­es. This is true even for those that have been carefully chosen and are actually secure passwords. The main problem: If you use a password regularly, there’s a risk that unau­tho­rized users can gain access to your password. This often happens during replay attacks in which the password is in­ter­cept­ed and then reused by unau­tho­rized users for au­then­ti­ca­tion.

Sometimes it doesn’t matter how careful you are: In recent years, even well-known online services have been re­peat­ed­ly targeted in cy­ber­at­tacks that caused thousands of customer data to fall into the wrong hands.

How can you protect yourself from this? One strategy is to change your password at regular intervals. However, you don’t want to have to change your passwords every day. Another solution that’s much easier to implement is to use a one-time password.

A one-time password is a password that can be used once and then expires. One-time passwords are often referred to by their ab­bre­vi­a­tion OTP and are sometimes also called OTP codes.

A one-time password usually consists of an al­phanu­mer­ic OTP code (letters and numbers) and is generated for a single login session. Once you’ve logged in with a one-time password, it expires and cannot be used for the next login session.

One-time passwords are often used for two-factor au­then­ti­ca­tion in areas such as online banking, but they are now in­creas­ing­ly being used by companies, too. In the first step, you enter your usual login cre­den­tials. Then you generate a dynamic one-time password, which is also required for OTP au­then­ti­ca­tion, using a tool such as a security token.

This ad­di­tion­al step ensures much greater security. If unau­tho­rized users gain access to your usual password during this login process, they still won’t have the dynamic one-time password, which is generated only as needed for a single login. For this reason, more and more online services are beginning to use two-factor au­then­ti­ca­tion, es­pe­cial­ly when it comes to sensitive data.

For a one-time password to work, the user and the system in which it is used must know the password. There are two different methods to ensure this:

A password list is the easiest way to use one-time passwords. This is a ready-made list of passwords that are known to both the user and the system. If one of these one-time passwords is used, the user simply deletes it from the list.

The dis­ad­van­tage of this method is obvious: If someone loses the list, unau­tho­rized users could gain access to the passwords. While these lists of one-time passwords are still sometimes used in online banking, more and more providers are switching to dy­nam­i­cal­ly generated OTP passwords for the reason explained above.

Today, dynamic one-time passwords are the most commonly used method. Hardware tokens are widely used for gen­er­at­ing passwords on the fly. These small devices come in different forms such as key fobs or keypad devices.

These devices are also called OTP tokens. What they all have in common is that they usually have a display and generate one-time passwords for a login session at the push of a button. Passwords generated by these devices are often entered together with other au­then­ti­ca­tion factors such as PINs or user IDs.

A special algorithm is used to generate a dynamic password on the fly. There are three different algorithm options:

• Time-based
• Event-based
• Challenge-response

With this method, the security token (client) and server create syn­chro­nized passwords using the same algorithm. This type of time-based one-time password (TOTP) is therefore known on the user side and the server side and is valid for a precisely defined time interval, usually 1 to 15 minutes.

Event-based one-time passwords are generated by per­form­ing a specific action, for example by pressing a button on the security token. As with the time-based method, the same algorithm is used on the server side and the user side. The password is cal­cu­lat­ed based on the previous password so it can be validated by the server.

In this method, the server specifies a request (challenge), which the client must answer (response). The client receives a certain value from the server and uses it to calculate the one-time password. Since the server knows the algorithm and the specified value, it can check the generated password.

One-time passwords are rec­om­mend­ed for all online services and websites that involve highly sensitive and important data. Examples include:

• Online banking
• Financial services such as online stock port­fo­lios or cryp­tocur­ren­cy exchanges
• Sensitive company data
• Con­fi­den­tial channels of com­mu­ni­ca­tion

You don’t need a one-time password for every website. However, you should always be sure to use secure passwords, even if you use a password multiple times. Research has shown that, despite the steady increase in cy­ber­crime, many users still have in­suf­fi­cient security awareness.