What is an OTP?
An OTP (One Time Password) is a password valid only once and for a limited amount of time usually 30 seconds for more sensitive applications to 1 day for less sensitive applications. A randomly generated string of characters will be sent to your mobile number or email which can be used to authenticate to an application. The general idea of OTP is to add second level authentication to stay ahead of cybercrimes to protect your data. Often called as second factor authentication code.
How safe is OTP
OTP is considered as secure and safe way to authenticate a service. The idea is by generating a random string called OTP which is sent to the user trying to authenticate into the application or service to his/her email or mobile number registered with the service. This challenge helps to identify if the user is authorized to use the application or service.
The risk of fraud is limited when the user has to input a second password. OTP provides much better protection to e-banking, corporate networks, and other systems containing more sensitive data.
Imagine if someone knows your username or password, by using OTP or second factor, a 3rd input to the system is required to authenticate the application or service which is known to you the risk unauthorized access is denied.
How OTPs are generated
There are various approaches in generating OTP and are listed below
Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time). Each user is given a physical (looks like a small calculator) or app based personal token that shows the OTP and each token is valid only for a very short period.
Using a mathematic algorithm to generate a new password based on the previous password. Here each new OTP is created based on the past OTP by using the hash function.
Using a mathematic algorithm where the new password is based on a challenge (a random number chosen by the authentication server or transaction details) and/or a counter.
How OTPs are delivered
SMS (short messaging service) is widely used to deliver the OTP to the user. The advantage is that most users have their personal mobile with them, and it is relatively easier to send the SMS. Your bank uses this method to deliver the OTP secure code to you. Application with large number of users like bank websites, e-commerce, delivering SMS to the user is the optimal solution.
Application or App is asked to be installed by the user of the application or service. The secure code is delivered through this app. Sometimes QR codes are also used to authenticate the user, like WhatsApp Web. The advantage is that there is no time delay in receiving the OTP secure code. If you are outside of your cellular coverage or outstation to foreign nations, using app based authentication works well.
Physical Devices are given to users and OTP is displayed in the device that can be used to authenticate the user in the application or service. This method also helps to obtain code even if you are traveling or away from your usual location. Simply carry this device, usually looks like a pen-drive or calculator. Providing the physical tokens to users involves cost and such devices are not given to all users of the application or service. For example, a bank’s senior employee uses it to authenticate himself to the bank’s core systems to perform some operation.
How can you secure OTP’s
1. Never share your OTP to anyone over email, phone, SMS, or other social applications.
2. In the case of Physical device, destroy it when no longer in use.
3. If you are receiving OTP’s for transactions that are not initiated by you, report it to the concerned department, bank, or your IT team. Also, change your password with immediate effect.