• What is a One-Time Password (OTP)?

    A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.
    outline of user with checkmark

    How do one-time passwords work?

    OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a security key. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.

    password verified illustration

    Are there any limitations to traditional OTP?

    • Users need to type codes during their login process.
    • Manufacturers often possess the seed value of the tokens.
    • Administrative overhead resulting from having to set up and provision devices for users.
    • The technology requires the storage of secrets on servers, providing a single point of attack

    Are there additional advantages to 2-factor authentication when using Yubico OTP?

    finger tap accepted illustration

    No client software needed. The OTP is just a string. If you can send a password, you can send an OTP.

    could with shield inside

    Easy to implement. Using YubiCloud, supporting Yubico OTP is not much harder than supporting regular passwords.

    laptop illustration

    YubiKey ID embedded in OTP. This allows for self-provisioning, as well as authenticating without a username.

    Learn More

    Developer Resources