One-time password (OTP)

Entersekt | Encyclopedia | One-time password (OTP)
What are one-time passwords (OTPs)?

A one-time password (OTP) is a temporary and single-use code sent to a user's mobile device or email to verify their identity. OTPs, also called one-time passcodes, are often used as an additional authentication mechanism, forming part of a multi-factor authentication (MFA) solution, during login or transaction verification.

How do OTPs and OTP authentication work?

In OTP authentication, a random string of letters and numbers is sent to the customer’s chosen device, such as their mobile phone. The one-time password or pin code is only valid for one login, which makes it safer than a traditional password. The customer must then provide that OTP in order to verify their identity or confirm a banking transaction, for instance.

Today, SMS OTPs can easily be intercepted by fraudsters. As a result, they do not provide a secure method of authentication if it is the only factor used. When an OTP is used as part of a multi-factor authentication solution, there are other factors included, making it harder for hackers to bypass the security measures. OTPs in addition to biometric authentication and device identity would provide a safer, layered authentication approach, which is more secure than relying on OTPs alone.

OTP fraud examples

One-time password authentication can leave customers vulnerable to fraud threats. These could include:

  • Man-in-the-middle attacks: A hacker intercepts and relays communication between two parties without their knowledge, much like eavesdropping.
  • SIM-swap fraud: A fraudster gets hold of a customer’s personal credentials, calls a mobile network operator (MNO) and, posing as the customer, requests a SIM swap. Once the new SIM card is active, all SMS OTPs are delivered to the fraudster’s device, allowing them to verify transactions.
  • Social engineering attacks: Like phishing, vishing, and smishing attacks. These occur when a hacker pretends to be an authority figure like a bank employee, and manipulates a customer into sharing their credentials or an OTP.

Modern authentication alternatives to OTPs

Many financial institutions are moving away from outdated OTP authentication measures to modern, more secure solutions such as multi-factor authentication, risk-based authentication and Context Aware™ Authentication to protect their customers from fraud.

Additional resources:


One-time password (OTP) | Multi-factor authentication (MFA) | SIM-swap fraud