What Is One-time Password? Security Definition
Also known as: one-time password, OTP, two-factor authentication, TOTP, HOTP
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
A one-time password, or OTP, is a short code you use only once to prove you are who you say you are. It is usually sent to your phone or email and expires after a few minutes. Unlike a regular password you reuse, an OTP changes every time you need it.
Must Know for Exams
One-time passwords appear in multiple certification exams, most notably CompTIA A+, CompTIA Security+, and other security-focused certifications. In CompTIA A+ (220-1102), OTPs are introduced as part of basic security concepts and multi-factor authentication. The exam objectives for 2.2 include explaining authentication methods, where OTPs are listed as a common something you have factor. Learners need to understand that OTPs are time-based or event-based codes that add a second layer of security beyond a password. Questions may ask which factor an OTP represents, or why OTPs are more secure than static passwords.
In CompTIA Security+ (SY0-601 or SY0-701), OTPs are covered in more depth under domain 3.0, Implementation of Secure Protocols and Authentication. The exam expects you to know the difference between HOTP and TOTP, understand that SMS-based OTPs are less secure than app-based or hardware tokens due to SIM swapping and interception risks, and recognize scenarios where OTPs are appropriate. Objectives such as 3.3 (Implement authentication and authorization solutions) and 3.8 (Implement secure network protocols) reference OTPs as part of 802.1X, RADIUS, and TACACS+ configurations. You may be asked to choose the most secure OTP delivery method for a given situation, or to identify why a time-based OTP failed due to clock skew.
Cisco's CCNA and CompTIA Network+ exams also touch on OTPs in the context of AAA (Authentication, Authorization, and Accounting) servers and VPN authentication. Security+ exam questions often present a scenario where a user's password is compromised, and the correct answer involves requiring an OTP for additional verification. Another common question format asks which OTP method does not require network connectivity on the client side (TOTP app). Understanding these distinctions is essential for scoring well on authentication-related questions. The exam will also test your awareness of OTP limitations, such as phishing risks with SMS and the importance of NTP synchronization for TOTP.
Simple Meaning
Think of a one-time password like a single-use key for a hotel room. When you check into a hotel, the front desk gives you a key card that works only for your room and only during your stay. If you try to use that same key card next week, it will not work because the lock has been reprogrammed.
An OTP works the same way online. When you log into your bank account from a new device, the bank sends a temporary code to your phone. You type that code in, and it grants you access for that one session.
If someone steals that code a minute later, it is already useless because the system has invalidated it. This is different from your main password, which you set once and use over and over. If a hacker steals your main password, they can log in anytime.
But an OTP is good for only one use and a very short window of time, often 30 to 60 seconds. Many services generate OTPs through an app on your phone, like Google Authenticator or Microsoft Authenticator. The app and the server share a secret seed, and they both compute the same code using the current time.
Because time moves forward, the code changes every 30 seconds. The server knows exactly which code the app should display at any moment. If you enter a code that matches, the server is confident that you possess the device with the correct seed.
This makes OTPs a powerful tool for protecting accounts even if your main password gets compromised. They are a core part of two-factor authentication, often called 2FA, which adds a second layer of security beyond just a password. In short, an OTP is a temporary token that proves you have access to a trusted device or phone number, making it much harder for attackers to impersonate you.
Full Technical Definition
A one-time password is a cryptographically generated string of digits or alphanumeric characters that is valid for only one authentication attempt or a very short time window. OTPs are a key component of multi-factor authentication, specifically the something you have factor, because possession of the generating device or receiving channel is required. There are two primary standards for OTP generation: HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP).
HOTP, defined in RFC 4226, uses a counter that increments with each successful authentication. Both the client and the server keep a synchronized counter value. The client computes an HMAC-SHA1 hash of the counter using a shared secret key, then truncates the hash to produce a 6 to 8 digit code. After each successful login, the counter on both sides advances. This method is event-based, meaning the code changes only when used. TOTP, defined in RFC 6238, builds on HOTP by replacing the counter with a timestamp. The client and server both derive the current time interval, typically 30 seconds, and use that as the moving factor. The code is computed using Time-based HMAC-SHA1, and the window of validity is usually two intervals to account for slight clock drift. TOTP is more common because it does not require the user to actively authenticate to advance the counter.
In practice, OTPs are delivered through several channels. SMS-based OTPs are sent via text message to the user's registered phone number. The server generates a code, stores it with an expiration timestamp, and sends it through the mobile carrier's network. The user enters the code to prove possession of the SIM card. App-based OTPs use TOTP, where a smartphone application like Google Authenticator or Authy generates codes offline using the shared secret and current time. Hardware tokens, such as RSA SecurID or YubiKey, generate OTPs using a built-in clock and secret key, often with a physical button press to trigger code generation. Push-based OTPs send a notification to a trusted device, and the user approves or enters a code displayed on that device.
Security considerations include the risk of SIM swapping attacks against SMS-based OTPs, where an attacker convinces a carrier to transfer the victim's phone number to a new SIM card. App-based and hardware TOTP are more resistant to interception because the code never travels over a network before the user enters it. OTPs also mitigate replay attacks, as each code is valid for only one use or a very short time window. Network Time Protocol synchronization is critical for TOTP, as a significant clock skew between client and server will invalidate otherwise correct codes. Servers typically allow a small window of one or two time intervals before and after the current interval to compensate for minor drift.
Real-Life Example
Imagine a secure office building where employees use a two-step entry system. The first step is a keycard that identifies you as an employee. That keycard is like your username and password — it proves you have permission to be in the building.
But just having a keycard is not enough to enter the most sensitive areas, like the server room. For that, you also need a temporary code that the security guard gives you each time you approach the door. The guard writes a four-digit number on a sticky note, and you must enter it on a keypad within 30 seconds before the note self-destructs.
That sticky note is your one-time password. It works only for that one entry and expires immediately after use. If you lose the note, no one else can use it because the guard has already thrown away the matching record.
This maps directly to how OTPs work online. Your main password is like the keycard — it stays the same and grants basic access. The one-time password is the sticky note from the guard.
It is generated on demand, is valid for a short time, and cannot be reused. Even if an attacker steals a photo of the sticky note after you have entered, the code is already expired. The guard, acting like the authentication server, keeps a log of which codes were issued and which have been used.
If someone tries to reuse a code, the guard checks the log and denies entry. This layer of temporary, unique codes dramatically increases security because an attacker must both steal your keycard and intercept a live sticky note in the same short window — a much harder task than just guessing a password.
Why This Term Matters
One-time passwords matter because they solve a fundamental weakness of static passwords: reuse and theft. A static password, once stolen, can be used by an attacker indefinitely until the user changes it. Data breaches expose millions of passwords every year, and many people reuse the same password across multiple services. An OTP adds a dynamic element that an attacker cannot predict or reuse. In real IT work, OTPs are deployed to protect privileged accounts, remote access systems, and customer-facing applications. System administrators use OTPs as part of two-factor authentication for VPN access, server management consoles, and cloud infrastructure dashboards. If an admin account password is compromised, the attacker still cannot log in without the current OTP from the admin's phone.
In cybersecurity, OTPs are a critical defense against credential stuffing and phishing. Credential stuffing attacks use stolen username and password pairs from one breach to try them on other services. With OTPs enabled, the attacker also needs the one-time code, which they cannot get without access to the user's device. Phishing attacks that trick users into entering their password on a fake site are often mitigated if the site also requires an OTP, because the phisher would need to forward the OTP in real time, which is technically complex and often detectable. For cloud infrastructure, OTPs are built into identity and access management services like AWS IAM, Azure AD, and Google Cloud Identity. Administrators can enforce MFA policies that require an OTP for any sensitive action, such as creating a new user or modifying security group rules. This protects the organization even if an admin's laptop is infected with malware that steals credentials.
From a compliance perspective, many regulatory frameworks, including PCI DSS, HIPAA, and GDPR, strongly recommend or require multi-factor authentication for accessing sensitive data. OTPs provide a practical, low-cost way to meet these requirements. For help desk and support teams, OTPs are used for passwordless authentication or temporary access grants. A support agent can generate a single-use OTP for a locked-out user to regain access, without revealing the user's permanent password. This reduces administrative overhead while maintaining security. In short, OTPs are not just a nice extra — they are a baseline security measure for any organization that takes data protection seriously.
How It Appears in Exam Questions
Exam questions about one-time passwords typically fall into several categories. The first is concept identification questions. These ask directly what an OTP is, what authentication factor it represents, or how it differs from a static password. For example, a question might state: A company wants to add a second authentication factor that does not require hardware tokens. Which method should they use? The answer choices might include SMS OTP, biometrics, smart card, or knowledge-based questions. The correct answer is SMS OTP because it uses a code sent to a phone, which is a something you have factor.
The second category is scenario-based questions. These present a situation where a security breach occurred or a user is experiencing login issues, and the learner must identify the role of OTPs in the solution. For instance: A user reports that their account was accessed from a foreign country even though they enabled two-factor authentication. What is the most likely cause? The correct answer might be that the OTP was sent via SMS and the user's SIM card was cloned. Another scenario: A security administrator notices that users' TOTP codes are consistently rejected for one specific server. What is the most likely cause? The answer is clock drift between the server and the users' devices, requiring NTP synchronization.
The third category is comparison or selection questions. These ask which OTP method is most secure, most convenient, or most appropriate for a given environment. For example: Which of the following one-time password methods is most resistant to phishing? The answer is a hardware token or app-based TOTP, because the code is generated on the device and not transmitted over a network before use. Alternatively: A company wants to implement OTP authentication for employees traveling internationally. Which method would be least affected by roaming data charges? The answer is TOTP app, because it generates codes offline without needing mobile network connectivity.
The fourth category is troubleshooting and configuration. These questions ask why an OTP system is failing or what settings need adjustment. For example: A user configured TOTP on their phone, but the codes are not working. What should the administrator check first? Answer: The time synchronization on the user's device. Another: After deploying hardware OTP tokens, users report that tokens from the same batch produce the same codes. What is the problem? Answer: The tokens were not seeded with unique shared secrets.
Finally, policy and compliance questions ask about OTP requirements for meeting regulatory standards. For example: To comply with PCI DSS, which type of authentication must be implemented for remote network access? Answer: Multi-factor authentication, which can include an OTP. Understanding these question patterns helps learners focus their study on the practical applications and limitations of OTPs rather than just memorizing definitions.
Practise One-time Password Questions
Test your understanding with exam-style practice questions.
Example Scenario
A mid-sized accounting firm uses a cloud-based software to manage client tax documents. The firm requires all employees to log in with a username and password, but after a recent phishing attack compromised two accounts, the IT manager decides to add two-factor authentication. She configures the system to send a one-time password via SMS to each employee's mobile phone whenever they log in from an unfamiliar IP address.
One morning, an employee named Priya logs into the system from a new coffee shop WiFi network. She enters her username and password. The system recognizes the new location and triggers an SMS containing a six-digit code to Priya's phone. Priya receives the code and types it into the login page. She is granted access. The OTP is valid for only 60 seconds and is immediately invalidated after use. Later that same day, an attacker who intercepted Priya's email inbox finds her username and password. The attacker tries to log in from a different city, but without access to Priya's phone, they never receive the OTP. The login attempt fails. The one-time password stopped the attack because the attacker lacked the something you have factor. This scenario illustrates how OTPs protect even when static credentials are exposed, and why they are a critical defense for remote access systems.
Common Mistakes
Thinking that a one-time password is more secure than a static password in all situations.
OTPs are a second factor, not a replacement. If the OTP is sent via SMS, it can be intercepted through SIM swapping or SS7 protocol vulnerabilities. Also, if a phishing site collects both the password and the OTP in real time, the attacker can use that OTP to access the real site. OTPs are not a silver bullet; they are a strong additional layer when used correctly.
Treat OTPs as an additional security layer, not a standalone solution. Always pair them with strong password policies and consider using app-based or hardware tokens instead of SMS for higher security.
Believing that a one-time password is the same as a password reset code.
A password reset code is used to change a forgotten password and typically grants full control over the account. An OTP is used for a single authentication session and does not change the underlying password. They serve different purposes in the authentication lifecycle.
Remember that OTPs are for logging in, not for resetting credentials. Password reset codes are usually longer-lived and allow account recovery, so they should be treated with even more care.
Assuming that all OTPs are generated by an app and work offline.
Only Time-based One-Time Password (TOTP) apps generate codes offline using the device clock. SMS OTPs require cellular network connectivity, and hardware tokens may require a USB connection or button press. Some OTP systems use algorithms and counters that need synchronization with a server.
Know the three main OTP delivery methods: SMS (online, carrier-dependent), app-based TOTP (offline, time-based), and hardware token (offline or USB). Each has different connectivity requirements and security profiles.
Thinking that using an OTP means you do not need a strong password.
OTPs add a layer, but if the password is weak, an attacker could still compromise the account through other means, like password spraying or guessing the password and then intercepting the OTP. A weak primary password reduces overall security even with OTP enabled.
Always enforce strong password policies alongside OTP requirements. The OTP is a safety net, not an excuse to relax password hygiene.
Confusing event-based (HOTP) with time-based (TOTP) OTPs.
HOTP uses a counter that increases with each use, so codes are valid until used. TOTP uses a time interval, so codes expire every 30 or 60 seconds even if not used. Mixing these up can lead to incorrect troubleshooting or deployment choices.
Remember HOTP = counter (event-based). TOTP = clock (time-based). For most modern applications, TOTP is preferred because it does not require active synchronization of a counter.
Exam Trap — Don't Get Fooled
The exam presents a scenario where a user is locked out of their account because the OTP code they entered is rejected, even though they are sure they typed it correctly. The question asks for the most likely cause, and one answer choice says the OTP has already been entered and used. Another says the device clock is out of sync.
Learners often pick the used OTP answer because it sounds plausible. Always consider the context of the question. If the user is entering a code immediately after receiving or generating it, time sync is the more likely culprit than reuse.
Memorize that TOTP requires NTP or manual clock adjustment. On the exam, if the scenario mentions an app-based code (like Google Authenticator), focus on clock drift first. Only consider code reuse if the scenario suggests a delay or multiple attempts.
Commonly Confused With
A password reset code is used to regain access to an account after the password is forgotten. It usually allows the user to set a new password and often has a longer validity period, such as 15 minutes to 24 hours. An OTP is used for a single login session and does not change the permanent password.
When you click forgot password on your email, you receive a link or code to create a new password. That is a password reset code. When you log in normally and get a code from an authenticator app, that is an OTP.
A session token is generated by the server after successful authentication and is stored in a cookie or browser storage to maintain the user's logged-in state across multiple page requests. It is reused for the duration of the session, whereas an OTP is used only at the moment of login and is immediately discarded.
After you log into a website with your password and OTP, the server gives your browser a session token so you do not have to re-authenticate on every page. The OTP was used only at the start.
MFA is the overall security framework that requires two or more authentication factors. An OTP is one possible factor used within an MFA implementation. MFA can also use biometrics, smart cards, or security questions. The OTP is a tool, while MFA is the policy.
Enabling MFA on your account means you need two things to log in: your password (something you know) and an OTP from your phone (something you have). The OTP is just one part of the MFA setup.
Push notification authentication sends an alert to a trusted device asking the user to approve or deny the login attempt. The user does not need to type a code. An OTP requires the user to read a code from the device or message and type it into the login page. Both serve as a second factor but differ in user interaction and resistance to phishing.
When you log into Microsoft 365, you might get a notification on your phone asking Approve or Deny. That is a push notification. If instead you open the authenticator app and type a 6-digit code, that is an OTP.
Step-by-Step Breakdown
Initiation
The user attempts to log in with their username and static password. The server verifies the password as the first factor. If correct, the server determines whether a second factor is required based on policy, device trust, or location.
OTP Generation
The server generates a one-time password using a cryptographic algorithm. If using TOTP, the server reads the current time, divides it into 30-second intervals, and computes an HMAC-SHA1 hash using the shared secret and the time interval. The hash is truncated to produce a 6 to 8 digit code.
Delivery or Display
The OTP is delivered to the user through the configured channel. For SMS, the server sends the code via a text messaging gateway to the user's phone number. For an authenticator app, the user's device independently computes the same code using the same shared secret and time interval, so no network delivery is needed.
User Entry
The user reads the OTP from their device or message and types it into the login form on the website or application. The user must enter the code before it expires, typically within 30 to 60 seconds for TOTP or before the session times out for SMS.
Server Verification
The server receives the entered code and compares it against the expected code it computed or stored. For TOTP, the server may check the current time interval plus one or two intervals before and after to allow for clock drift. If the code matches, the server considers the second factor authenticated.
Session Creation
Upon successful verification of both factors, the server creates an authenticated session for the user. The OTP is marked as used in the server's database or invalidated for future attempts. The user is granted access to the requested resources.
Expiry and Cleanup
The OTP is rendered invalid after successful use or after its time window expires. Any unused OTPs are discarded. This ensures that even if an attacker intercepts an old code, it cannot be reused for a future login attempt.
Practical Mini-Lesson
In real IT environments, implementing and managing one-time passwords requires understanding both the user experience and the security trade-offs. As a system administrator, you will often be responsible for enabling OTP-based MFA across your organization. The first decision is which OTP delivery method to use. SMS OTPs are the easiest to deploy because they do not require installing an app on user devices, but they are the least secure. SIM swapping attacks are a real threat, and SMS messages can be intercepted through SS7 vulnerabilities. For most organizations, especially those handling sensitive data, app-based TOTP or hardware tokens are recommended.
To deploy app-based TOTP, you typically configure an identity provider like Azure Active Directory, Okta, or Duo Security. The user enrolls by installing an authenticator app on their phone. During enrollment, the server displays a QR code that encodes the shared secret and account details. The user scans the QR code with the app, which stores the secret and begins generating codes. The user then verifies by typing one of those codes into the server. This proves the app is correctly synchronized. After that, every login requires the user to enter the current code from the app.
For hardware tokens, such as YubiKey or RSA SecurID, the enrollment process involves physically programming the token with a unique secret. The token generates codes based on time, and users carry it on a keychain. Hardware tokens are more expensive to deploy but are highly secure and do not depend on a mobile phone that could be lost or stolen. They are commonly used in government, finance, and high-security environments.
Troubleshooting OTP issues is a routine task. The most common problem is clock drift. If a user reports that their TOTP codes are not working, check the time on their device. Users should enable automatic time synchronization. For servers, ensure NTP is running correctly. Another issue is that an authenticator app might be generating codes for the wrong account if the user scanned multiple QR codes. Ask the user to check which account name is displayed in the app. For SMS OTPs, common problems include delayed delivery, blocked numbers, or roaming issues where the carrier does not support short code messages. Always have a backup method, such as recovery codes or a secondary email, in case the primary OTP method fails.
OTPs also connect to broader security concepts like zero trust architecture. In a zero trust model, every access request is treated as untrusted, and an OTP provides a strong signal that the user is who they claim to be. OTPs are used in conjunction with conditional access policies that require MFA only for risky sign-ins, such as from unknown devices or locations. This balances security with user convenience. For compliance audits, you will need to prove that MFA is enforced and that OTP delivery is secure. Document your OTP policy, including the method used, enrollment procedures, and incident response for token loss or SIM swap attacks. By mastering OTP implementation and troubleshooting, you contribute directly to the organization's security posture and compliance readiness.
Memory Tip
OTP = One Time Passcode. Think One and Done: after you use it, it is gone. TOTP = Time-based, so check the clock. HOTP = Happens after each use, count the events.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1101CompTIA A+ Core 1 →SY0-701CompTIA Security+ →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
Can a one-time password be reused if I did not use it in time?
No, once an OTP expires, it becomes invalid. For TOTP, the code changes every 30 seconds, so you must request or generate a new one. For SMS OTPs, the code typically expires after a few minutes, and you need to request a new one.
Is SMS OTP the same as app-based OTP?
No. SMS OTP is sent as a text message over cellular networks and depends on your carrier. App-based OTP is generated on your device using TOTP, works offline, and is generally more secure because it is not transmitted over a network.
What happens if I lose my phone that has the authenticator app?
You should have saved recovery codes when you first set up the app. Those codes can be used once each to regain access. If you do not have recovery codes, you will need to contact the service provider and go through identity verification to reset your MFA.
Why does my TOTP code sometimes not work even though I typed it correctly?
The most likely cause is clock drift on your device. The TOTP algorithm relies on accurate time. If your phone or computer clock is off by more than a minute, the codes will not match. Enable automatic time synchronization to fix this.
Is a one-time password considered a password under security policies?
No, an OTP is not a password in the traditional sense. It is a temporary token used for a single authentication. Security policies that govern password length, complexity, and rotation do not apply to OTPs because they are generated and managed by the system.
Can a hardware OTP token be cloned?
If the token uses a strong random secret and is properly manufactured, cloning is extremely difficult without physical access to the token's internal memory. However, tokens that are not tamper-resistant could theoretically be reverse-engineered. Reputable tokens use secure elements to protect the secret.
Summary
A one-time password is a temporary, single-use code that adds an extra layer of security to the authentication process. Unlike a static password that remains the same across sessions, an OTP changes every time it is used or after a short time interval. It represents the something you have factor in multi-factor authentication, proving that the user possesses a trusted device or phone number.
OTPs are generated using standards like HOTP and TOTP, and they can be delivered via SMS, authenticator apps, or hardware tokens. For IT certification exams, especially CompTIA A+ and Security+, you need to understand the difference between these delivery methods, the security strengths and weaknesses of each, and typical troubleshooting scenarios like clock drift. In real-world IT work, OTPs are a cornerstone of access control, protecting against credential theft, phishing, and unauthorized access.
Remember that OTPs are not a replacement for strong passwords but a powerful complement. The single-use nature makes them a reliable defense for remote access, cloud services, and sensitive data environments. As you prepare for your exam, focus on recognizing when an OTP is the correct authentication method, identifying common failure points, and understanding how OTPs fit into the larger security framework of authentication protocols and policies.