What is an OTP?

Have you ever waited for a confirmation code to arrive at your email or mobile device? Which means that you have worked with an OTP implementation. OTP stands for One time Password. One Time Passwords are there in most of the authentication processes that we see on the web. Following are a few examples.

  • Banking systems
  • Hospital systems
  • Email systems
  • Storage systems


One Time Passwords(OTP) should be related to one single session of the user. These should not be allowed to be reused for multiple sessions for security reasons. For additional security, there are Time based One Time Passwords(TOTP) which may expire after some time. When TOTP are there you must provide it within the indicated time.


Single Factor Authentication(SFA) and Two Factor Authentication(TFA) are two different models of authentication. SFA is when the user is asked for authentication details just one time. Traditional login forms are a good example for this. TFA is when the user is asked to provide two or more authentication factors. OTPs are a type of TFA authentication.

Benefits of an OTP

Implementing an OTP can be a bit costly but this can give your application the following benefits.

  • Greater security level can be achieved with the additional level of authentication.
  • Difficult to crack with brute force and replay attacks if the OTP generation logic is powerful.
  • No threat of stealing the password since there is an additional verification step.

OTP architecture

Following is a general architecture for a OTP implementation.


Note the following about this architecture.

  • OTP verification is done before granting access to the user. If the OTP provided is incorrect, the user goes to an earlier stage at the execution.
  • OTP keys and the User data are separately stored.
  • OTP generation method is transparent from the client side application.

We can always change the architecture due to the security requirements.

OTP Complexity

Even though an OTP can be set as time restricted, these can be theoretically cracked by several methods. (For example, by brute force.) We have increase the randomness and the uniqueness of the OTP. To make an OTP more complex and unique, we can combine it with a hash generated by the user password. Also the UNIX timestamp of the OTP generation time can be used for the same purpose.

OTP Market

There is a market sector including the OTP services, devices, etc. The OTP segment is part of a more global two-factor authentication market evaluated at $3,5B in 2018. It will reach $8,9B by 2024, as revealed by global market researchers. Primary customers are enterprises, banking, finance, insurance and securities, government, healthcare, and gaming where user account safety is more important.