One-time password (OTP)

Have you ever carried out a transaction or used a particular login session online that required you to put in an OTP?

One-time password (OTP)
One-time password (OTP)

Perhaps a message like; “An OTP has been sent to your mobile number/email” or so.

And then you found yourself asking the question; What does OTP mean?

A lot of people make use of these OTPs, but they do not really know what it means, what it does, and how it is generated.

We live in a world where information is key.

Whoever knows more, rules the people around them.

How would you feel if you found yourself explaining this bad-ass tech stuff to people (probably friends or family)?

You’d feel cool I guess…

Knowing such information will always give you a higher personality, as people will always come to you whenever they come across something they don’t really know about.

Cool. Right?

Now, without wasting any more time, let us get down to what an OTP is, how it is generated, and how it is distributed.

What is OTP?

An OTP also known as a “one-time password” or pin is a kind of password that is valid for a login session or online transaction only once.

This login could be on a computer, smartphone, or any other digital device.

OTPs prevent so many flaws that are connected to normal password-based verification.

One good and crucial advantage about OTPs is that they are not prone to repeated attacks.

That is, a potential attacker who manages to get hold of a one-time password from you will not be able to login or conduct a transaction on your behalf.

It is a one-time password, so it becomes null and void the moment it has been used.


OTPs have prevented a number of attacks from fraudsters worldwide.

A good measure of these OTP systems also ensure that a transaction session or login session cannot easily be interrupted without cognition of unpredictable information that was created during a previous session.

This greatly reduces the attack on OTPs.

So far, these one-time passwords are said to be a potential emplacement to the normal static passwords.

This is indeed a very good development.

However, there is also a little con as these one-time passwords are often hard for humans to memorize all the time.

How are OTPs Generated?

Here are the ways through which these one-time passwords are generated.


One of the major methods through which these OTPs are generated is through time-synchronisation.

These time-synchronised OTPs are often connected to a piece of hardware that is called a security token.

That is, every user is given a private token which generates an OTP.

This device often looks like a calculator with an LCD that shows random numbers occasionally.

Inside the token, there is an accurate clock which has been connected to the one on the main authentication server.

On these systems, time is a very crucial aspect of any password algorithm.

Every generation is completely dependent on the particular time it is generated, in addition to the previously generated pin.

These tokens can be a sole device or even a mobile phone or any other device that runs the software.

A perfect example of these time based OTPs is the TOTP.

This means Time-based One-time Password.

Applications like password managers or even authenticators can be used to store these time-synchronized OTPs.

Mathematical Algorithm

Another method through which OTPs are generated is through mathematical algorithms.

With a mathematical algorithm, new OTPs are based on a challenge system.

That is, a random number is generated by the authentication server or through the transaction details.

At times, these mathematical algorithms generate new OTPs from previous ones.

With this kind of mathematical algorithm, every new one-time password is generated from old ones that have been used.

Method of Generating OTPs

Much credit to Leslie Lamport for this method.

It uses a one-way function ‘call it f’.

This method of generating OTPs uses the following flow.

Note: This flow is for experts.

It may seem confusing to people who have no idea about mathematical algorithms.

You can skip this if you are not an expert.


Choosing a starting value(s).


Continuous repetition of a hash function ‘f(s)’ to the starting value(s).

This gives a value of ‘f(f(f(… f(s)…))) which is f¹°°°(s), and it is stored in a target system.

Flow 3:

A user’s first login will make use of a pin obtained from applying the value of “f” to the starting value 999times.

The target system then authenticates that this is the correct pin, as f(P) =f1000(s), and this is the value stored in the system.

This value stored is then changed by P and a user is then allowed to freely log in to a session or transaction.


Whenever a user logs in again, it is accompanied by f998(s).

This is activated as hashing it will give f999(s) which is p (the value stored in previous sessions).

Once a new value takes the place of p, the user becomes authenticated.


The same process is repeated for up to 997times.

For each log in, the password will be ‘f’ applied with a single deduction.

This is made valid by properly checking that when hashed, it produces the value stored during the last login session.

These hash functions are designed to be very difficult to reverse, so an intruder will need to know the starting value to be able to calculate and generate the possible pin.

After the set for ‘s’ is finished, a new starting value can be gotten.

This is in a case where a limitless series of pins are needed.

The ways of distributing these OTPs which are token-based may likely use either of the types of mathematical-algorithm-generated OTPs rather than the time-synchronised ones.

How Are OTPs Delivered?

Here are the few ways through which these one-time passwords are delivered.

Through SMS

A regular method used for delivering OTPs is through text messaging (SMS).

This is because the text messaging system is an omnipresent communication method.

It is available in almost every mobile phone.

Through the text-to-speech conversion systems, even a landline can receive-texts.

Being such a popular and all-round system of communication, it is very good for the distribution of OTPs.

These OTPs sent over text messaging services are sometimes encrypted using the A5/X standard.

However, several research groups and hackers attest to the fact that it can be successfully decrypted within a few minutes.

In addition, some security down-sides in the routing protocol have successfully been used to divert the OTP texts to attackers.

Back in 2017,numerous customers of 02 in Germany were breached through this pattern, for direct access into their online banking accounts.

Similar cases have occurred in several other places around the globe.

This method of OTP delivery is also prone to sim swap frauds.

Through these sim swap frauds, an attacker secretly transfers a victim’s mobile number to their own sim.

This is then used to gain access to the victim’s messages (including the OTP messages).

Through Mobile Apps

OTPs are also delivered through mobile apps.

These could be authentication apps like Google Authenticator and Authy.

It can even be from a service’s existing app just like in ‘Steam’.

This method of delivery does not share the same security flaws with the SMS method, and it does not necessarily require a mobile network to be used.

Through Web-Based Methods

Authentication service providers offer different Web-based ways through which OTPs can be delivered.

These methods do not make use of tokens.

They rely on a user’s ability to pick out already chosen categories from a generated picture grid that is often random.

When registering on certain websites, a user is asked to choose numerous private categories of a certain thing.

This could be dogs, cars, flowers, etc.

Whenever a user tries to login to such websites, these randomly generated photo grids pop-up.

On these grids, every photo has an alphanumeric character that is hidden behind it.

The user then finds his pre chosen categories, and he/she enters the alphanumeric character for any pre-chosen category to form a one-time access pin.

Through Proprietary Tokens

Another method through which OTPs are delivered is through proprietary tokens.

The SecureID of the RSA security is a good example of these types of tokens.

Just like every other token, this may be damaged or even stolen, or the batteries may die.

These are for tokens that do not have recharging features.

Another version of the proprietary token was proposed by the RSA security.

This was in 2006, and it was titled ‘Ubiquitous authentication’.

It was proposed that through this pattern, RSA would have to partner with manufacturers so as to include a physical SecureID chip to devices.

These devices include mobile phones, etc.

Through Paper Printing (Hard Copy)

In certain online banking systems in some countries, a numbered list of one-time passwords is often sent to users.

This is printed on paper for use.

Some banks send it in the form of a plastic scratch card.

Numbered OTPs are often hidden behind these scratchable layers, so a user has to scratch it off to reveal an OTP.

Whenever a user carries out a fresh transaction online, he is expected to use the OTPs from the numbered list (often serially).

In some countries, this numbered list of OTPs is called ‘TAN’.

This is short for Transaction Authentication Numbers’.

Some financial institutions even distribute these TANs to users via SMS.

In such cases, they are called Mobile Transaction Authentication Numbers (mTAN).

These mTANs do not need to be printed on paper.

The OTPs delivered on print paper are said to be the cheapest OTP solutions.

Conclusion of ‘What Does OTP Mean?’

From this well-explained piece, I believe you now know more about these one-time passwords, how they are generated, and the various methods through which they are distributed.

Make sure you share this with friends whom you think might be interested in such educational posts.

In all, I hope you had a good read…

Buy Cheap MTN, Glo, 9Mobile, Airtel Data VTU Services, Check out the best offers for you Today

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top