• Gemalto is now part of the Thales Group, find out more.

One Time Password (OTP)


What does one-time password mean?

One-time password systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests. 

one time password

The static password is the most common authentication method and the least secure. If "qwerty" is always your password, it's time for a change.

Why is a one-time password safe?

This prevents some forms of identity theft by making sure that a captured user name/password pair cannot be used a second time. 

Typically the users logon name stays the same, and the one-time password changes with each login. 

One-time passwords are a form of so-called strong authentication, providing much better protection to eBanking, corporate networks and other systems containing sensitive data.

Authentication answers the question: "Are you indeed Mr or Mrs X?"

Today most enterprise networks, e-commerce sites, and online communities require only a user name and static password for login and access to personal and sensitive data. 

OTP vs static password

Although this authentication method is convenient, it is not secure because online identity theft – using phishing, keyboard logging, man-in-the-middle attacks, and other practices – is increasing throughout the world.

Strong authentication systems address the limitations of static passwords by incorporating an additional security credential, for example, a temporary one-time password (OTP), to protect network access and end-users' digital identities. 

This adds an extra level of protection and makes it more challenging to access unauthorized information, networks or online accounts.

Time-based One-Time Password (TOTP) changes after a set period of time, such as 60 seconds for example.

How are one-time passwords created?

One-time passwords can be generated in several ways, and each one has trade-offs in terms of security, convenience, cost, and accuracy. 

Grid cards

Simple methods such as transaction numbers lists and grid cards can provide a set of one-time passwords. 

These methods offer low investment costs but are slow, difficult to maintain, easy to replicate and share, and require the users to keep track of where they are in the list of passwords.

otp tokens

Security tokens

A more convenient way for users is to use an OTP security token which is a hardware device capable of generating one-time passwords. 

There's more.

Some of these devices are PIN-protected, offering an additional level of security. 

The user enters the one-time password with other identity credentials (typically user name and password), and an authentication server validates the logon request. 

Although this is a proven solution for enterprise applications, the deployment cost can make the solution expensive for consumer applications. 

Because the token must be using the same method as the server, a separate token is required for each server logon, so users need a different token for each Web site or network they use.

Smart cards and OTP

More advanced hardware tokens use microprocessor-based smart cards to calculate one-time passwords. 

Smart cards have several advantages for strong authentication, including data storage capacity, processing power, portability, and ease of use. 

They are inherently more secure than other OTP tokens because they generate a unique, non-reusable password for each authentication event, store personal data, and they do not transmit personal or private data over the network.

Public Key Infrastructure

Smart cards can also include additional strong authentication capabilities such as PKI, or Public Key Infrastructure certificates. 

When used for PKI applications, the smart card device can provide core PKI services, including encryption, digital signature, and private key generation and storage.

Gemalto smart cards support OTP strong authentication in both Java™ and Microsoft .NET environments. 

Multiple form factors and connectivity options are available so that end-users have the most appropriate device for their network access requirements. 

All Gemalto OTP devices work with the same Strong Authentication Server and are supported with a common set of administrative tools.

Single-factor authentication (SFA) 

Single-factor authentication is the traditional security process that requires a user name and password before granting access to the user.

Stronger authentication can also be implemented with two-factor authentication (2FA) or multiple-factor authentication.

In these cases, the user provides two (or more) different authentication factors.

 At the ATM, you will need your card (something you have) AND a PIN code (something you know).

Today, the European PSD2 regulation is requesting stronger customer authentication to banks and financial institutions. We even expect the first banks to start declining transactions without two-factor authentication on 14 September 2019. 

More resources