A One-Time Password is a one-time password that can be used for authentication or transactions. The one-time password can be generated dynamically or taken from a previously created list of static one-time passwords.
What is a One-Time Password (OTP)?
The one-time password is a one-time valid password. German terms are Einmalpasswort. A common abbreviation for the one-time password is OTP, but it should not be confused with the one-time pad (also abbreviated OTP) of one-time encryption.
A one-time password consists of an alphanumeric string and can be used for secure authentication or transactions. Once a logon or transaction has taken place with an OTP, the password loses its validity and can no longer be used for further actions. A one-time password can be used to secure logon procedures with passwords.
Passwords that have been stolen or read can only be used once. The combination of a one-time password with an additional PIN provides even more password security. Various procedures exist for providing one-time passwords. They can be taken from a previously created list of static one-time passwords or generated dynamically on demand.
Procedure for generating a one-time password
For logging in with a one-time password, it is necessary that the user and system know the respective valid password to be used. Two methods can be used to achieve this: creating password lists and dynamic password generation. In the case of password lists, several passwords are stored on the user and system sides. These can be freely selected or used in a specific order. If a password has been used, both sides delete it from their lists. If all passwords are used up, a new password list must be created. An example of this type of one-time password is the TAN list for online banking. If a password list is lost, an unauthorized person can come into possession of valid passwords. More secure, therefore, are procedures that generate one-time passwords dynamically on demand and combine them with other identification features. Dynamic generation is possible in three ways:
- On request of the server
In a time-triggered generation, an OTP generator and the server generate passwords synchronized in time using the same algorithm. The passwords are valid for a certain period of time and are known to both sides.
Event-driven generation generates the password, for example, by an action such as pressing a key on the OTP generator. The new password is generated from a calculation of the previously valid password and can thus be verified by the server.
In the case of generation by request from the server, the server provides the client with a value from which the one-time password can be generated by a certain algorithm. The server knows the given value and algorithm and is able to verify the generated password.
OTP tokens are small hardware devices for generating one-time passwords. They are also called password generators and can take the form of a check card or a small box. The generators are usually equipped with a single-line display. Depending on the method of OTP generation, they generate a new password at certain intervals or after pressing a button and show it on the display.
The password can be used for the authentication process or transaction and must be entered together with a user ID or PIN for multi-factor authentication. Password generators can also be implemented in software and used as an app on a smartphone.