A One Time Password (OTP) is a strong authentication method to prove the identity of the caller per transaction. It usually consists of a string of characters and/or numbers.
Unlike user/password combinations, which can be used repeatedly, an OTP is valid only once. It proves device possession and provides extra security as it's often employed as a second challenge after a successful user password entry.
How One Time Passwords Work
Typically a user will enroll in an application using a phone number, a smart app (Okta Verify, for example), or a physical security token (such as a smartcard or fob).
The OTP is created in the application by an algorithm that's based on a seed and a moving factor. A seed is created when the application is registered or it is supplied by the physical security token. There are two types of moving factors, HOTP and TOTP.
Moving Factors Explained: What Are HOTP and TOTP?
The “H” in HOTP can mean keyed-hash message authentication code or hash-based message authentication code.
Each time a counter changes, a new OTP is generated. The counter is a numerical value of the number of logins, so after a successful login, the OTP is updated.
A hash function converts data of arbitrary size to a fixed sized value. With properties such as deterministic output (for an input value, it always generates the same output) , and fixed output length (for an input value, the output size is constant), hash functions are easy to implement and lend themselves to encryption.
TOTP
TOTP stands for Time-based One Time Password. Each OTP is valid based on a time increment, usually 30 or 60 seconds. Regardless of the use of the OTP, a new OTP is created every time increment.
Benefits of OTPs
A benefit of implementing OTP in any application is that you are also checking for device possession. Even if a password is compromised, the bad actor trying to get unauthorized access still will need to figure out how to get past the OTP step.
Another benefit is that OTPs are widely adopted. Almost everyone knows how to use them and what to expect when enabling them, making the support edge cases abnormal.
Security Issues and Considerations
Generally speaking, sending OTPs over SMS is not considered the most secure delivery method. It is, however, better than not having any OTP at all.
There are also considerations about the reliability of the network and signal reception that, depending on your use case, can imply tradeoffs
Another thing to be aware of is distributing OTPs via email, although technically possible, you are leaving the OTP goal (proof of device ownership) out.
How to Configure OTP in Okta
If you are using WIC, this article provides an overview on how to enable OTP for users.
This article covers OTP enablement for CIC
Conclusion
Designed to be used for a single login attempt, OTPs try to reduce the risk of unauthorized access.
OTPs can rotate based on two main moving factors: hash (HTOP) or time (TOTP).