A one-time password, or OTP, is a series of characters generated by a device, application, or online portal for an individual to use only once. One-time passwords are typically a second form of authentication for accessing an account. A website will often generate a one-time password for a user who wants to change their password or forgot it. That password change then has to be verified through email, text message, or another method. One-time passwords as an added method of two factor or multifactor authentication are being used more frequently. These codes help businesses verify users when they’re accessing sensitive data: Entering a code that was texted to your phone to verify banking information on a third-party app, for example.
A one-time password prohibits attackers from using a stolen password. If an attacker learns a regular account password, they may be able to break into a user’s account. But a one-time password is only valid once; if an attacker tries to use it, the login attempt will be invalidated.
Some organizations are now recommending using an application for one-time password authentication, rather than receiving it through text or phone call. An application on your phone would reveal less information to any phone service providers or eavesdroppers who might be spying on your phone network. An application for one-time passwords will also have more features, such as the ability to scan a QR code.