One-time password

Updated: 04/30/2020 by Computer Hope
USB Security Token

A one-time password, also known as an OTP, is a password that is valid for only a single login. OTPs are commonly used as part of a two-factor authentication system. For example, when a user logs into a secure network, they may see two prompts: one for a conventional password and the other for an OTP. A one-time password can come from sources including a USB (universal serial bus) security token (shown right) or a smartphone app.

Why am I getting OTP messages?

The following section lists reasons you may be getting an OTP message or code as a text message or e-mail.

You're trying to access your account

When accessing your account from a new Internet browser, device, or location, a service may send you an OTP as a method of verification. If this is the case, you can enter the OTP that was sent to you to verify your identity.

Tip

Enter the OTP in the prompt on the screen as you're logging into the service.

Someone else trying to access your account

When someone else tries accessing your account, if the service does not recognize the computer, they are required to enter the OTP as a method of verification. If anyone with account access is not trying to access the account, someone is likely trying to break into your account.

Tip

Ignore the OTP message, and if they continue, consider changing your password since someone may have your username and password, but cannot get around the two-factor authentication.

Someone trying to reset your password

When using the forgot password feature or resetting a password, the service may use OTP to verify the identity of the person.

Tip

If you are not the one trying to retrieve or reset the password, ignore the OTP message. If the messages continue, consider changing your password since someone may have your username and password, but cannot get around the two-factor authentication.

Someone trying to create an account using your e-mail

If you're getting OTP messages from a service you do not use, someone is likely attempting to create an account using your e-mail address or phone number.

Tip

Ignore the OTP messages and never visit any of the links sent to you by e-mail or text message.

Someone is attempting to phish your account

An OTP message could be used to phish for user account details. The OTP message may have links designed to steal information or prompt users to enter their login information.

Tip

Ignore the OTP messages and never visit any of the links sent to you by e-mail or text message.

OTP authentication methods

An OTP authentication service may use one or more of the following methods to verify a user's identity.

  • Time synchronization — The login server knows that a one-time password is valid because the USB key generates a random password based on the current time.
  • Previous password — The login server keeps a record of the last password entered by the OTP device and can use this information to validate the current one-time password.
  • Challenge-response — The login server can issue a unique challenge to the USB key, for which there is only one unique response.

Algorithm, Authentication, Password, Security terms, Server, USB