One-Time Password (OTP)
An OTP is a temporary code that is valid for a single authentication attempt and then expires. OTPs can be generated by an app on the user's device (software-based) or issued via SMS or email, and they serve as a second factor in MFA schemes.
# WHAT TEAMS RUN INTO
- —
SMS-delivered OTPs can be intercepted or redirected. Attackers intercept SMS through SIM swap attacks or compromise carrier accounts and reroute SMS to their numbers.
- —
OTP codes are time-sensitive and prone to user error. Users mistype codes, are interrupted before entering them, or receive codes that have already expired by the time they try to use them.
- —
OTP validation is not always secure. Some implementations allow multiple code submission attempts without rate limiting, making OTPs vulnerable to brute force attacks.
# WHY IT MATTERS
OTPs are a way to turn a device into an authentication factor without requiring hardware tokens or complex cryptography. But OTP strength depends entirely on how they are generated, delivered, and validated. SMS OTPs are convenient but vulnerable. App-based OTPs are more secure but require users to manage an app. Every OTP design involves trade-offs between security and friction.