Open in app

Sign in

Write

Sign in

One Time Passwords

Buddhi Vikasitha
3 min readJul 19, 2022

What is an OTP?

Have you ever waited for a confirmation code to arrive at your email or mobile device? Which means that you have worked with an OTP implementation. OTP stands for One time Password. One Time Passwords are there in most of the authentication processes that we see on the web. Following are a few examples.

  • Banking systems
  • Clinical systems
  • Email systems
  • Storage systems
  • …and almost every other types of systems.

OTP and TOTP

One Time Passwords(OTP) should be related to one single session of the user. These should not be allowed to be reused for multiple sessions for security reasons. For additional security, there are Time based One Time Passwords(TOTP) which may expire after some time. When TOTP are there you must provide it within the indicated time.

SFA and TFA

Single Factor Authentication(SFA) and Two Factor Authentication(TFA) are two different models of authentication. SFA is when the user is asked for authentication details just one time. Traditional login forms are a good example for this. TFA is when the user is asked to provide two or more authentication factors. OTPs are a type of TFA authentication.

Benefits of an OTP

Implementing an OTP can be a bit costly but this can give your application the following benefits.

  • Greater security level can be achieved with the additional level of authentication.
  • Difficult to crack with brute force and replay attacks if the OTP generation logic is powerful.
  • No threat of stealing the password since there is an additional verification step.

OTP architecture

Following is a general architecture for a OTP implementation.

Note the following about this architecture.

  • OTP verification is done before granting access to the user. If the OTP provided is incorrect, the user goes to an earlier stage at the execution.
  • OTP keys and the User data are separately stored.
  • OTP generation method is transparent from the client side application.

We can always change the architecture due to the security requirements.

OTP Complexity

Even though an OTP can be set as time restricted, these can be theoretically cracked by several methods. (For example, by brute force.) We have increase the randomness and the uniqueness of the OTP. To make an OTP more complex and unique, we can combine it with a hash generated by the user password. Also the UNIX timestamp of the OTP generation time can be used for the same purpose.

OTP Market

There is a market sector including the OTP services, devices, etc. The OTP segment is part of a more global two-factor authentication market evaluated at $3,5B in 2018. It will reach $8,9B by 2024, as revealed by global market researchers. Primary customers are enterprises, banking, finance, insurance and securities, government, healthcare, and gaming where user account safety is more important.

I work as a Senior Software Engineer/Senior WebRTC Engineer at Telzee.io. We are based on USA and Sri Lanka and we develop custom Telehealth solutions.

Our telemedicine starter kit consists of all the tools necessary to start your online consultation. Built for both an individual or team. WebRTC ensures the security of your patient’s data.

Powerful features to improvise a real physical environment of a healthcare institute from high quality video conferencing, patient queues, payment collection, ERM integration, Staff Management, Whiteboard etc.

Otp Verification
Security
Passwords

--

--

Buddhi Vikasitha

Written by Buddhi Vikasitha

200 Followers

Software Engineer, Graphic Designer, Gamer, Mahindian, Graduate | buddhiv.io

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams