A one-time password or OTP is a string of characters (numbers or letters) equivalent to a secret code that’s automatically generated from an algorithm to authenticate a user for a single online login or online transaction – that expires after use or a specified amount of time, whichever comes first. A one-time password or OTP is more secure than the traditional fixed password we all try to store in our memory, which aside from being commonly weak, are often repeated and reused across multiple accounts.
Research has shown hackers surmise and successfully pinpoint passwords easily if:
- Your password is too simple and short. A single word followed by a number or a single numerical phrase like a birthdate or perhaps an exclamation point.
- Your password is reused across multiple accounts.
- Your password includes personal information. Dates of birth and street addresses are particularly vulnerable.
The use of traditional fixed passwords alone accounts for 81% of security breaches. For this reason and more, a one-time password or OTP is used to replace traditional password authentication or in addition to traditional passwords to supplement security and achieve 2FA or two-factor authentication. For your workforce, customers or organization members, user login credentials remain the same, and the one-time password or OTP is a largely transparent automated experience that changes its code with each login.
A one-time password or OTP adds a second layer of security to credentialing for login or transaction execution and meets security compliance obligations in finance, healthcare, education, technology, government, defense, law enforcement and many other industries. If you’ve ever logged in to an online financial account and the bank or card issuer requested you to enter a code that was instantly emailed or SMS texted to you, you’ve engaged in a 2FA, two-factor authentication.
One-time password or OTP authentication is also commonly used for distributed workforces logging into company servers from remote locations. Generally, upon logging onto the company’s server or app, a one-time password or OTP is generated and delivered to the worker via an SMS text, email, or an OTP token. An OTP token is typically a small device with a digital display screen (see our FEITIAN OTP c200). The screen displays the automatic and dynamically generated code required as a form of authentication and verifies that the person is who they’ve represented themselves to be by virtue of possession of the OTP token itself. The worker then enters the code received into the specified online field at the point of login with the other credentials and gains access.
Hence if an unauthorized person gains access to a workers traditional password, they still won’t have the unique one-time password or OTP, which is dynamically generated only as needed for a single login. For this reason, more and more businesses are beginning to use two-factor authentication, especially when it comes to access to company servers and data.
One-time password or OTP authentication paired with traditional login credentials is often used as a method of achieving multi-factor authentication (MFA) compliance standards which require: 2 or more of these elements:
- Knowledge: credentials only the user knows – eg, a PIN or password
- Possession: credentials only the user possesses – eg, an OTP token device
- Inherence: credentials unique to the user is – eg, a biometric such as fingerprints
2FA or two-factor authorization, requires the 2 elements to be independent of each other, effectively layering security.
Complete System OTP System
FEITIAN OTP Authentication System (FOAS) is a multi-channel identity verification system which can simultaneously validate the user to a server and vice versa. FOAS can be seamlessly integrated within all the major operating systems and supports multiple databases with ODBC or any other type of specific connection delivering a complete a highly secure communication environment for digital signatures for web based transactions. We offer this cloud-based OTP authentication service with complete customization options for UI, functions and related services to enable you to secure your very own multi-channel identity verification system, one-time password or OTP server. Contact us to learn more!
One-Time Password OTP Tokens
AA one-time password token is a computer chip-based pocket device or smart card with a digital display that shows a generated secret code authorizing access to an account online or perhaps a transaction to be executed. The one-time password or OTP typically has a very limited window of usability, perhaps as few as 30 seconds or as long as several minutes. The system can be configured to adjust the duration of time that the OTP is valid for. If it expires, a new OTP value is generated for use.
The FEITIAN c200 token is a small keychain like hardware authenticator which offers users real mobility and flexibility. By simply pressing the button, OTP c200 generates and displays a secure one-time password every 60 seconds (and optional 30 seconds), ensuring proper identification and allowing only authenticated users with authorized access to critical applications and sensitive data. OTP c200 token provides the most cost-effective two-factor authentication for enterprises to manage secure access to information in the global market. OTP codes are generated dynamically, constantly changing on the fly, and sent to users securely holding OTP tokens such as the FEITIAN c200.
A soft OTP token is software-based and generates a single-use 6-digit login PIN or password that’s sent via SMS text, push notification email, or an app. However, there are ‘hard tokens’ such as microprocessor based Smart cards (FEITIAN VC-200), USB keys (FEITIAN FIDO Series), keyless entry systems, mobile phones (FEITIAN OTP c610 token), and even Bluetooth tokens which can generate a one-time password or OTP.
Mobile Based One Time Password OTP Token
As an alternative to deploying keychain like token devices, some businesses leverage smartphones carried by their workforce to generate a one-time password. This can be achieved by using an app downloaded to the smartphone or the one-time password or OTP can be sent to the smartphone as an SMS text in the form of a URL link, used for authentication at a later point.
Additionally, with a FEITIAN QR code OTP token, there is no need for the user to manually input the long transaction data (such as account number, transaction amount), all the data will be displayed on the token screen by simply scanning the QR code from the online banking page, and then signed with an One Time Password which is dynamically linked with the transaction data.
The FEITIAN c610 token is an easy-to-use QR code transaction solution for online Banking services. Its compact design allows the token to be easily carried to work or home, OTP c610 is designed on open standards, it can offer banks a highly secure QR code transaction signing solution, and in the meanwhile the compatibility with their current infrastructure.
FEITIAN OTP c610 can capture the transaction data (such as account number, transfer amount, etc.) by scanning the QR code displayed on the banking website or banking mobile App and presents them securely on OTP c610’s display, which can ensure that no one can tamper with the confidential transaction data. This QR code transaction signing solution is a true what-you-see-is-what-you-sign. The user can self-activate and register their device and bank account by scanning the activation QR code which is delivered to them by the bank via physical mail or via email.
How a One Time Password OTP Works
One-time password OTP authentication is an engagement with 2 sides, the user seeking authentication and the authentication server side, both of which rely on a shared secret (the sequence passcode). A one-time password or OTP is usually delivered via a device carried by the user, such as their smartphone (using an app or SMS), an OTP token with digital display (a USB drive sized device or card), or a security key. One-time password or OTP technology is compatible with legacy environments and all major platforms (mobile, tablets, notebooks, & desktops), making it ideal to achieve multi-factor authentication for both workforces and customers.
One-time password tokens are commonly used for generating dynamic passwords at any given moment through a special algorithm. Generally, there are two different algorithm options: they are either event based, or time based.
Event Based One Time Password or OTP
An event-based one-time password is generated by performing a specific action, such as pressing a button on the OTP token device, triggering the authentication server to create synchronized passwords using the same algorithm (see FEITIAN OTP C100 series tokens). The password is commonly calculated based on the prior password enabling it to be validated by the authentication server.
Time-Based One Time Password or OTP
With a time-based one-time password or TOTP (T = time) the token device and authentication server dynamically create a synchronized password using the same algorithm. Therefore, the one-time password is known on both the user side and the server side, readable for the user since the OTP token device has a small LCD screen enabling users to see the passcode once generated. Typically, this passcode is valid for a very brief window of time, perhaps as few as 30 seconds or as long as several minutes.
Benefits of a One Time Password OTP
Reputation is an integral part of an organization’s brand and built on the trust vested in the brand by the customers and workforce alike. Per Sinch research, a high level of trust is felt by 73% of consumers when they know their information and accounts are secure. The advantage of an OTP token is that its possession is required wherever a person is trying to gain access to corporate servers and accounts. Thus, a one-time password OTP token is a more secure means of authenticating remote workforces and customers. Since these OTP tokens are quite small, they are not cumbersome in any way and can be carried anywhere. A one-time password eliminates common challenges security managers and IT administrators face with password security.
- the often confusing and intricate password composition rules
- known-bad and weak passwords along with vulnerability to keyloggers or malware. A user with leaked credentials due malware that captures their keystrokes or a phishing scam would still be protected.
- sharing of credentials or reuse of the same password on multiple accounts and systems.
- concerns about scammers and attackers obtaining passwords and reusing them since a one-time password becomes invalid immediately after use or within minutes, whichever comes first.
- An organization’s ability to use verification APIs and easily build one-time passwords or OTPs into their products and apps. Programmable verification integrations can pay for themselves by securing customer trust, freeing up your valuable human support resources to focus on higher-level goals, and safeguarding against internal and external cybersecurity threats.
- Passwordless Authentication: One-time password or OTP authentication login delivers a trouble free experience to your users so they’re not burdened with remembering intricate passwords. Simple and speedy on-boarding means less password snafus and friction resulting in more conversions.
- MFA Authentication: Multi-factor authentication is a must have compliance requirement for many industries (finances, healthcare, education, technology, government, defense, law enforcement). The one-time password is the leading technology that’s easy to adopt and coupled with standard login achieve 2FA, Two-factor Authentication, for more security.
In summary, the one-time password authentication eliminates the risk inherent with traditional passwords. Using OTP authentication is ideal for all businesses and websites that involve having a workforce or customer base accessing servers, online tools, or resources in any way.
One Time Password Hardware Tokens Colleges & Universities use for Two-factor Authentication (2FA) & Adding a Second Layer of Security to University Accounts
There are 2 popular types of One Time Password authentication:
- HOTP or hash-based one-time passwords like the FEITIAN OTP c100.
- TOTP or time-based one-time passwords like the FEITIAN OTP c200.
Both the c100 & c200 generate the one-time password code from 2 inputs:
- A secret key/seed created when you establish a new account on the authentication server (this does not change).
- Moving Factor (code) that changes each time a new one time password (OTP) is requested.
How the moving factor is generated differentiates HOTP & the FEITIAN c100 and TOTP & the FEITIAN OTP c200.
c100: Each time the HOTP is requested and validated, the moving factor (code) incrementally moves based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server. The OTP generator and the server are synced each time the code is validated and the user gains access.
c200: The moving factor (code) in TOTP is time-based rather than counter-based. The length of time each password is valid is a timestep, generally lasting for 30 seconds or 60 seconds. If the password isn’t used within that time window, the password expires and you’re required to request a new password for access.
Cloud-based One-time Password Server & Software Licensing Solution
FEITIAN OTP Authentication System (FOAS) is a multi-channel identity verification system which can simultaneously validate the user to a server and vice versa. Moreover, FOAS can establish a highly secure communication environment by providing digital signatures for web based transactions.
We offer this cloud-based authentication service with complete customization options for UI, functions and related services to enable you to secure your very own multi-channel identity verification system, one-time password or OTP server. It provides a cost-effective, flexible and easy to use, scalability, reliability and strong multi-factor strong authentication solution.
You can integrate 2-factor authentication to your website or mobile Apps with easy-to-use SDK, and avoid the heavy maintenance jobs from your local authentication servers.
You can create, manage and deliver your software licenses in varying schemes to increase the revenues, and you can use this solution to prevent the software from being reverse-engineered and pirated with the provided hardware-based tokens. If you prefer to not use our Authentication System (FOAS), you can instead host a verification server yourself.