What is OTP?
OTP stands for One-time Password, also known as ‘One-time Pin’. A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or login session. It is a password that is valid only for one long session or transaction on a computer or any other digital device.It is a secure way to provide access to an application or perform a transaction only once and is the prime way of authenticating bank transactions.
The password becomes invalid after it has been used once. It is a security technique that provides protection against various password-based attacks, specifically password sniffing and replay attacks. OTP provides more enhanced protection than static passwords which remain the same for multiple login sessions or user-created passwords that may be weak or may be reused in multiple passwords at other platforms.
How Does an OTP (One-Time Password) Work?
OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication. A number of implementations also incorporate two-factor authentication.
- Usually, when a user creates a digital account, he/she is prompted to enable the two-factor authentication, besides the regular username and password. When the user tries to login again, the second time, the system sends the temporary password (either four or six digits) to the registered mobile number for the user to punch into the system.
- Each time an OTP is used, a new and random password is generated by randomness algorithms, through which the OTP works. The algorithm always uses random characters and symbols to create a password so that a hacker/cracker is not able to make out or get any slightest idea about the future password.
- OTP generation algorithms specifically make use of pseudorandomness or randomness, making it difficult for the hacker to predict the successor OTPs.
Concrete OTP algorithms vary greatly in their details. (A ‘randomized algorithm’ is an algorithm that employs a degree of randomness as part of its logic.)
- In simpler words, the process of OTP generation can be summarised in following easy steps:
- Username & password entered by the user
- The request is sent to backend
- Username & password are matched
- OTP is sent through SMS
- OTP is entered and the user logs in to the desirable site.
Generation of OTP
The OTPs can be generated by any one of the following techniques:
- Time-synchronization – between the authentication server and the client providing the password (OTPs are valid only for a short period of time)
- Mathematical algorithm – to generate a new password based on the previous password (OTPs are effectively a chain and must be used in a predefined order).
- Mathematical algorithm – where the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter.
How is an OTP Delivered?
While undertaking a transaction, an OTP can be delivered in different ways through different mediums, as follows:
- Mobile Phone: A common technology used for the delivery of OTPs is via SMS or text messaging. It is a method that is easily available in all mobile handsets. Text messaging/SMS is the most easy and secure method to reach the consumers.
On smartphones, one-time passwords (OTPs) can also be delivered directly through mobile apps, including dedicated authentication apps such as ‘Authy’, ‘Duo’, and ‘Google’.
- Web-based methods: ‘Authentication-as-a-Service’ providers offer various web-based methods for delivering one-time passwords without the need for tokens. One such method relies on the user’s ability to recognize pre-chosen categories from a randomly generated grid of pictures.
( ‘Authentication – as- a – service’ is one of the ‘cloud services’ that enables access to a variety of IT resources, including devices, applications, and networks. It is also referred to as referred to as Directory-as-a-Service or Identity-as-a-Service).
- Hardcopy: In some countries’ online banking, the bank sends a numbered list of OTPs to the user that are printed on paper. Other banks send plastic cards with actual OTPs that are concealed by a layer that the user has to scratch off to reveal the numbered OTP. For every online transaction, the user is required to enter a specific OTP from that list.
In Germany and many other countries like Austria and Brazil, those OTPs are typically called TANs (for ‘transaction authentication numbers’). Some banks even dispatch such TANs to the user’s mobile phone via SMS, in which case they are called mTANs (for ‘mobile TANs’).
Advantages of OTP
Being a popularly used method in the online transaction process, there are more advantages of OTP than any risks.
- In contrast to static passwords, OTPs are not vulnerable to replay attacks which means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will no longer be valid.
- A user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them if the password for one of these is gained by an attacker.
- A number of OTP systems also aim to ensure that a session cannot easily be intercepted or impersonated without knowledge of unpredictable data created during the previous session, thus reducing the attack surface further.
Uses of OTP
Being a secure and standard way of authentication, OTPs have their presence in multiple online spaces. An OTP is useful as it allows only the owner of a particular phone number to receive access to that password, which in turn permits the user to log in to the application and verify the identity. An OTP is used in multiple ways which can be summed up in few points :
- Resetting Passwords: Whenever a user logs in to a website or any application from a different / unknown device, and subsequently demands a password reset, he/she may receive an OTP or One-time Pin through SMS to verify / authenticate the user’s identity which would prevent any kind of fraud or identity theft.
- Securing Payments – Online Shopping: OTPs are also brought into use while doing an online transaction on any e-commerce application. Using OTPs at this stage to confirm a user’s / consumer’s identity helps reducing the fraudulent cases and all kinds of suspicious activities.
- Securing an Account: In case of one account being used in different devices by a user, OTP sent via SMS, plays a significant role here by adding a security layer by verifying the genuine user of the account who is willing to use a single account in more than one devices. Thus, the single account gets successfully linked to the various devices.
- Reactivation: When a user tries to sign in to an application / website after a long period of inactivity, his/ her identity is confirmed through the OTP sent to their registered mobile number.
- Blocking Spammers: An OTP serves the similar purpose as a CAPTCHA test while doing any online activity. A CAPTCHA is visible online where it requires the user to enter the CAPTCHA code to determine if the user is a human or a computer. An OTP helps doing the same, thus blocking any spam activity.
- Securing Online Documents: OTPs can be most useful when someone wants to secure their personal and important information by adding a layer of protection to the access privacy of any kind of online documents with private information like payslips / legal documents etc.
Being in an online and digital era, it is extremely necessary to be aware of each and every minute detail, while attempting any kind of online activity. Digitization has given us many facilities along with the comfort of not having to move and getting our things done instantly. But, it is equally important to stay alert and secure while trying anything online and not throw ourselves into this massive pool of frauds and thefts. We should first and foremost have all information regarding the pros and cons of whatever online platform we are trying to bring into use.
& Many More…