What is a One-Time Password (OTP)?

A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.
outline of user with checkmark

How do one-time passwords work?

OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a security key. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.

password verified illustration

Are there any limitations to traditional OTP?

  • Users need to type codes during their login process.
  • Manufacturers often possess the seed value of the tokens.
  • Administrative overhead resulting from having to set up and provision devices for users.
  • The technology requires the storage of secrets on servers, providing a single point of attack

Are there additional advantages to 2-factor authentication when using Yubico OTP?

finger tap accepted illustration

No client software needed. The OTP is just a string. If you can send a password, you can send an OTP.

could with shield inside

Easy to implement. Using YubiCloud, supporting Yubico OTP is not much harder than supporting regular passwords.

laptop illustration

YubiKey ID embedded in OTP. This allows for self-provisioning, as well as authenticating without a username.

Learn More

Developer Resources