What is a One-Time Password (OTP)?

A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.

How do one-time passwords work?

OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a security key. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.

Are there any limitations to traditional OTP?

  • Users need to type codes during their login process.
  • Manufacturers often possess the seed value of the tokens.
  • Administrative overhead resulting from having to set up and provision devices for users.
  • The technology requires the storage of secrets on servers, providing a single point of attack

Are there additional advantages to 2-factor authentication when using Yubico OTP?

No client software needed. The OTP is just a string. If you can send a password, you can send an OTP.

Easy to implement. Using YubiCloud, supporting Yubico OTP is not much harder than supporting regular passwords.

YubiKey ID embedded in OTP. This allows for self-provisioning, as well as authenticating without a username.

Learn More

Developer Resources