Proton
Subscribe by RSS
A Proton blog cover image showing a phone screen with an empty one time password code field

What is a one time password?

Kate Menzies

Share this page

One-time passwords (OTPs) are one of the most common forms of two-factor authentication (2FA). In this blog, we’ll help you understand what an OTP is, the different types of OTP you might receive, and how to stay safe when you’re logging into your accounts. 

What is a one-time password?

How are one-time passwords created?

What is a one-time password used for?

Can one-time passwords be exploited?

Staying safe with one-time passwords

What is a one-time password?

One-time passwords (OTPs) are one of the most popular methods for 2FA and multi-factor authentication (MFA). 2FA involves using two methods of user authentication, and using more than two methods of authentication is known as multi-factor authentication (MFA).

OTPs are just one type of many user authentication methods that you can use. The more ways you authenticate your identity, the harder it is for someone to imitate you. The three key methods of user authentication include:

  • Something you know: This could be a password, a PIN, or the answer to a security question.
  • Something you are: This could be any biometric data unique to you, like your fingerprint, face ID, or retina scan.
  • Something you have: This could be either a physical token or a digital token. Physical tokens could include an ID badge or a security key. Digital tokens could include an OTP sent as an SMS or generated by an authentication app.

An OTP is a method for logging into an account, similar to a password or touch ID. Often, it’s a randomly generated set of numbers or letters sent to your device to help you log into an account on a one-time basis. You can also receive an OTP via an authenticator app, a phone call, or a security key. 

As the name suggests, you can only use an OTP once. Most OTPs will also expire after a certain amount of time, so they’re an effective method for confirming that you’re using a specific device at a specific time. 

They’re compatible with any device and any platform. Users aren’t required to take an action like downloading an app or using a security key to use them. They’re also easy, requiring little to no tech knowledge to use. Think of them as a ring of protection around your account – the more rings you put in place, the harder it is for someone to gain access.

How are one-time passwords created?

You can receive an OTP in many different ways. Some of the most common OTP delivery methods include SMS, email, authenticator app, and email. Here are some examples, split into physical and digital.

Physical

Some devices can create OTPs to help you access your accounts. These include 

  • USB drives and smartcards that can be inserted into your computer, phone, or tablet to verify your identity.
  • Smartphones and banking security devices that can generate their own OTPs.
  • Cards or Bluetooth-enabled devices that can also generate OTPs as contactless devices.

Digital

Software can also be used to generate OTPs:

  • An authenticator app, such as Google Authenticator, can generate 2FA codes to help you access the apps on your phone.
  • A business may send you an OTP via SMS, push notification, phone call, or email to verify that you’re currently using your device.

What is a one-time password used for?

It’s likely you’ve received an OTP before. Many websites and businesses use them because they can be more secure than traditional (known as ‘static’) passwords, which are more vulnerable to being leaked in data breaches. Since static passwords are user-generated, there’s also no guarantee that they’re strong. A strong password should use a mixture of special characters and numbers and ideally be randomly generated by a password generator so they’re not easily guessable.

Personal logins

Organizations working with sensitive data, such as banks, healthcare providers, and online retailers, often use OTPs to help you log in to each session online. They may use risk-based access, where you will only be prompted to enter an OTP if you’re trying to perform a specific action: for example, if you’re trying to transfer money from your bank account into an account you’ve never interacted with before. In this instance, verifying your identity will protect both you and the bank.

Professional logins

You may also be required to receive OTPs to log into your business tools. Businesses work with sensitive data, which is essential to protect with robust user authentication. Many companies have begun enhancing their online security by enforcing 2FA or MFA. In its Cyber Essentials Starter Kit(new window) the Cybersecurity and Infrastructure Security Agency(new window), the US government agency charged with cybersecurity, recommends enforcing MFA as one of your first actions as a business leader. Requiring workers to authenticate their identities using OTPs is an excellent way to protect a business at every level of the workforce.

Can one-time passwords be exploited?

There is no doubt that using an additional method of authentication is safer than just using a static password. However, no method of authentication is 100% secure. 

Passwords sent via SMS and email can be intercepted. By using social engineering, hackers can encourage someone who has received an OTP to share it. One-time password bots(new window) can intercept passwords before the intended recipient even receives them. Multiple exploits, including SMS phishing (known as smishing(new window)) and SMS pumping(new window), are available to determined hackers. Sim swapping also allows hackers to gain access to a phone without being anywhere near it.


It’s harder to intercept codes sent from authenticator apps, but it isn’t impossible. In 2020, experts discovered malware installed on Android phones that was able to steal 2FA codes(new window) generated by Google Authenticator.

Staying safe with one-time passwords

Turning on 2FA or MFA is the best way to protect yourself online. An OTP is an excellent defense when configured properly. The best way to configure your 2FA? With a password manager. A password manager helps you create as many barriers between bad actors and your accounts as possible without requiring you to be a cybersecurity expert

With Proton Pass, you can generate 2FA codes for your accounts using our integrated authenticator. Everything you store in Proton Pass, including codes you generate, is protected by battle-tested end-to-end encryption. That means it’s only available to you. You can also protect your Proton Pass account using a biometric login, increasing your account’s security.    

If you need to send an OTP to a family member or co-worker, the most secure method is via a secure link. You can limit these links so they can only be accessed a certain number of times and to expire after a chosen amount of time. (It should be noted that you should only share an OTP if you can verify the identity of the person requesting it – if the request comes via a phone call or an SMS from an unknown sender, take steps to verify their identity.)


You can keep your logins, personal details, and 2FA codes safe in Proton Pass whether you’re using it as an individual or a business. Find out which plan to get started with.

Protect your passwords
Create a free account

Related articles

An illustration of a laptop and an open envelope
Lay the foundation for lasting business success with a privacy-first website using a secure domain and email from Porkbun and Proton Mail.
Flow, a wordless fable about a cat and other stray animals navigating a flooded world, was made with Blender, a free, open-source 3D animation tool.
A Latvian indie film that used open source tools beat Disney at the Oscars, proving open source can challenge industry giants.
A Bitcoin and a central bank digital currency coin
Learn how CBDCs could give governments new powers to control money and monitor financial activity and how Bitcoin prevents this.
A computer monitor, a box of case files, and a lock representing law firms that protect their information security
A simple guide to law firm cybersecurity. See how to protect business and client data, prevent breaches, and stay compliant with encryption.
The cover image for a Proton Pass blog about brushing scams, which shows a package with a warning sign above it
A brushing scam means your personal data has leaked online. Learn how to protect yourself with hide-my-email aliases and dark web monitoring.
An encryption lock breaking
Apple turned off its end-to-end encryption in the UK in response to a government notice. We look at what this means and how people in the UK can protect their data.