Tutorials 15 minutes to read

A Developer’s Guide to One-Time Passwords (OTPs)

May Akyyoma May Akyyoma
12 June 2023
Security OTP

Cyber attacks have become an ever-present danger threatening to shut down digital activities. Cybercriminals’ activities on sensitive data have heightened data security concerns for companies operating in the digital space. Continued data breach is causing huge financial losses to these companies. 

In the search for better security, firms have developed Multi-factor authentication methods, including One-Time Passwords. These single-use passwords offer a second degree of security to conventional passwords and offer companies a more cost-effective way to safeguard user data. 

However, implementing an OTP system comes with some challenges for these enterprises. Issues like generating, using, and setting up OTP SMS solutions are hurdles they must scale to derive maximum benefit from OTPs. 

We have created this guide to give developers and business owners insight into how to generate One-Time Passwords. You will also learn to implement an OTP system using a bulk SMS service. But before delving into the main topic, let’s define OTPs and their types. 

What are One-Time Passwords (OTPs)?

What are One-Time Passwords

One-Time Passwords refer to a string of random characters, such as figures and alphabets, created and used once to verify identity or confirm a transaction. An OTP could be 6 – 10 characters long and is only valid for single use. 

OTP, as a 2FA method, provides greater security than weak passwords. To better secure these flawed passwords, OTPs are generated and sent to the device owned by the user to authenticate them. 

Usually, a user only needs a username and a static password to log in. Unfortunately, static passwords are very easy to guess and reusable until the user changes. In addition, users with little to no knowledge of security use weak and predictable passwords such as ‘qwerty,’ ‘abcde,’ or even ‘password’ as their preferred passwords. This makes it prone to security breaches. Statistics for data breach investigations show that static passwords are the leading cause of data breaches worldwide. 

OTP is more dynamic, changing every time a login attempt is made. The codes are completely random and have no clear pattern on how it is generated. This makes it effective in keeping cybercriminals out of an enterprise system.

Websites with OTP service generate OTPs anytime a user attempts to log in to his account. Using bulk 2-way SMS, the OTP is sent to the phone number or email linked to the account, ensuring that the original user receives and uses the codes. 

Common use cases for OTP include account signup, recovery, password reset, new device login, transaction confirmation, and checkout on an e-commerce site. 

Types of OTPs

Different OTPs exist with different approaches to the security of online data. Understanding how each works will help you choose which is more suitable for your business. 

Time-Based OTPs (TOTP)

This type of OTP uses the current system time to create unique codes for verification. Compared to the conventional OTP, which are random alphanumeric codes, TOTP adds the current time as part of the codes. The algorithm that generates these codes uses a hash-based system that uses credentials known to the server and client. 

A distinct feature of TOTP is the short window between its generation and expiration. For instance, TOTP is valid for 30 – 60 seconds, meaning a user must quickly use it when sent. The short time frame also makes it harder for cybercriminals to intercept the codes. TOTP is also valid for single use and is immune from replay attacks. 

Counter-Based OTPs (HOTP)

While TOTP uses time as a revolving factor for authentication, Counter-based OTP or Hash-based uses counters for authentication. HOTP works by generating new code which depends on a previously generated OTP. The OTP device of the user combines a seed code and hash chain to generate the unique OTP. 

It also works with a seed value and applies a hash function to generate codes known to the server and login system continuously. Since the seed value is unknown to third parties, it is almost impossible to guess the pattern of how the OTPs are generated. 

HOTP is valid until another one is generated. Unlike TOTP, this makes it more user-friendly as the user can use the codes conveniently. 

Transmission-based OTP

These are the more common types of OTPs. In this case, the OTP is generated and sent via emails or SMS for users to copy and use for additional security. 

An authentication server can randomly generate these codes and send them to your customers to confirm their identity or complete their transactions.  

The Debate: OTP vs. TOTP

Security experts often engage in discussions concerning the superiority of one-time password solutions. 

Preferences tend to split between those favoring the traditional OTPs and advocates for Time-based One-Time Passwords (TOTP).

Understanding OTP

One-Time Passwords, abbreviated as OTP, are essentially unique, scrambled codes used once for authentication purposes. OTPs serve as a security enhancement for static passwords, or sometimes, they even replace them entirely. 

These passcodes can be generated through various mediums such as hardware tokens, authentication applications, or websites. Familiar One-time password examples include HOTP or TOTP.

Insight into TOTP

Time-Based OTPs, known as TOTP, represent a subtype of OTPs. The distinct feature of TOTP is the integration of random codes with the current timestamp for authentication. 

Furthermore, TOTP is characterized by a short validity period, typically ranging between 30 to 60 seconds. This time constraint augments its security because it necessitates a longer decoding time for potential hackers.

Pros and Cons of TOTP

Opting for TOTP as a security measure ensures robust protection owing to its brief validity period, making it an ideal second-factor authentication (2FA) method for banking transactions. 

However, a notable downside of TOTP is the potential for delays in OTP generation and delivery. In such instances, the TOTP might expire before the user has the opportunity to utilize it. This shortcoming could result in user frustration, especially in emergency situations.

The Verdict

In sum, TOTP holds a strategic advantage over traditional OTPs due to its enhanced security features. 

The brief validity period of TOTP, while providing additional security, can potentially cause user inconvenience if code delivery is not instantaneous. 

Therefore, it’s crucial to strike a balance between security needs and user experience when selecting an OTP solution.

How to Generate and Use OTPs

Generating a One-Time Password depends on the type you want. Either a time-synchronized type or a Hash-based type. 

Here is a step-by-step overview of how to create a One-Time Password. 

  1. The first step begins from the backend server, which creates a secret key. 
  2. The secret key is only known to the server and the OTP generating service, which is shared between them. 
  3. Combining time as a moving factor and the secret key already generated, a hash-based message authentication code (HMAC) is generated. This process happens by using the cryptographic SHA-1 algorithm. Even though time is an important factor here, you must be aware of inconsistencies in time between the backend server and OTP generation service. A best practice is to use the Unix timestamp, which does not use time zones in the algorithm.
  4. The code the algorithm produces using the current time is usually 20 bytes long. 
  5. For ease of use, break the 20-byte code into a smaller length (6-9 characters) 
  6. Using the counter system, new OTPs are generated after a certain time. 
  7. Send codes to users to begin the authentication process. 

A coding example of the above steps is given below:

// Obtain HMAC hash (using SHA-1 hashing algorithm) by secretKey and counter
hmacHash = HMAC-SHA-1(secretKey, counter);

// hmacHash[19] means 19th byte of the string.offset = hmacHash[19] & 0xf;

truncatedHash = (hmacHash[offset++] & 0x7f) << 24 | (hmacHash[offset++] & 0xff) << 16 | (hmacHash[offset++] & 0xff) << 8 | (hmacHashh[offset++] & 0xff); finalOTP = (truncatedHash % (10 ^ numberOfDigitsRequiredInOTP));

After generating the OTP token, you should know how to use them. Here is a guide on using or integrating an OTP service on your application for secured transactions. 

  • Set up an OTP generation service on your enterprise app or connect to an Authenticator app. 
  • Create a verifying window to identify which user was verified and which codes were used. It is important to know this information so that the system does not send already-used codes to other users. This could lead to replay attacks. 
  • Determine which channel to send One-Time Password tokens to customers: email, SMS, or voice. 
  • Once the user receives and enters codes, match them to your authentication window to confirm identity and grant access to the user.

A best practice in generating SMS OTP is to limit the number of OTPs sent to a customer within a period. 

Too many OTPs within a short window may indicate a hacker. In addition, you need an authenticator API to connect with your system for OTP generation. 

Implementing OTPs in Applications

OTPs in Applications

If you want to use One-Time Passwords for your business or link OTP with your enterprise app, some OTP software can help you. Let’s look at some of them and the requirements to implement this method. 

Google Authenticator 

It is a free OTP software available on most websites by default. Google Authenticator is popular among security experts due to the following reasons:

  • It has a simple user interface that enables less tech-savvy users to use it easily. 
  • Google Authenticator supports both TOTP and HOTP. 
  • You can conveniently use it for all your apps without downloading separate OTP generation software. 
  • Google Authenticator works without a network connection making it ideal for users worldwide. 

Microsoft Authenticator 

This popular OTP application works across Microsoft native apps such as the Microsoft Office suite. Why should you use it for your app? Let’s see some reasons. 

  • Microsoft Authenticator has a notification feature informing you of any attempt to log in with your credentials. 
  • It can act as a system to generate OAuth verification codes. 

FreeOTP Authenticator

FreeOTP is a great addition to OTP software due to being an open-source software. It is useful across most websites and has the following benefits:

  • The software is very light and takes less space on a device (less than 1GB)
  • Its reliability is seen in its adoption by big digital firms like Facebook and Google. 
  • There are no proprietary issues with using it.

Yubikey

If you prefer a hardware OTP device, you can deploy Yubikey from Yubico for your security needs. The advantages of this method are:

  • Yubikey is flexible and works independently of a network or internet connection. 
  • Uses the FIDO U2F standard, which is popular among most digital platforms. 
  • Easy to use for customers. 

Technical requirements 

  • Bulk SMS gateway

You need a service that helps you deliver OTPs quickly and simultaneously to your customers. You need a bulk SMS provider like WWT that can deliver high-priority OTP via SMS. An SMS gateway ensures that location is not a barrier to OTP delivery. 

  • OTP API 

An OTP Application Programming Interface connects with your enterprise application to generate OTP. RESTful API endpoints help to authenticate and verify your employees and customers before they are granted access to your digital resources. Integrating with an OTP API saves you the hassle of developing an OTP generation service from scratch. 

Best Practices in Implementing OTP 

  • Make the OTP codes shorter, preferably 6 characters or less. 
  • The OTP message should carry the appropriate header as ‘One-Time Password.’
  • Enable users to have multiple opportunities to resend OTP

Benefits and Challenges of Using OTPs

One-Time Passcodes offer valuable benefits for enterprises implementing them as part of their security framework. Some of the benefits include security, user experience, and manageability. Let’s expound on these points. 

Security 

Combining OTP with static usernames and passwords or as a standalone authentication elevates the security level of identity verification. Your customers’ details are better protected with these random alphanumeric codes. OTPs are also immune from replay attacks due to being single-use. 

User experience

With OTPs, users don’t have to bother about memorizing passwords. Every time they attempt to log in, a fresh OTP is generated, which they can use to verify their identities. Once generated, the OTP is automatically copied and pasted on the authentication panel on some apps. This reduces the friction for users and quickens the authentication process. 

Manageability

One-Time Passwords are easy to manage. It is usually an automated service with just one or a few administrators overseeing the system. OTP automation frees you up for more important tasks and guarantees better security than static passwords. 

Reduced hiring costs

Implementing an OTP system for your business security needs automatically reduces the need for staff dedicated to resetting passwords. Lost or invalid passwords are among the top reasons people call a customer support service. OTP implementation removes the possibility of a hacker gaining access to a customer’s account using only the static password. Provided the device for receiving OTP is still in the user’s possession, the security of their account is guaranteed. 

Drawbacks 

It is not all rosy for OTP; some drawbacks affect its smooth operation. Here are some of the disadvantages. 

Usability concerns

OTP sometimes does not work smoothly. OTP may delay in delivering, thereby frustrating users. OTP still depends on mobile networks to transmit OTP to users who generate them. These networks may experience some glitches which affect the delivery of these passcodes. 

Another usability challenge is friction experienced by users in copying the codes from SMS or emails and pasting them on the verification panel. In cases where Time-based OTP is used, by the time the user receives, copies, and pastes the codes, they may have expired. You can imagine how frustrating this must be for users. 

Vulnerabilities in network systems

Even though OTPs are impossible to guess, it is still prone to hijack through the weak network infrastructure. Mobile network services are notoriously weak due to SS7 vulnerabilities, making it easy for hackers to snoop on text messages or calls. With sophisticated resources, OTP via SMS can be intercepted by hackers. 

Similarly, a hacker can hijack a customer’s email account and gain access to OTP sent via email. 

Complexities in implementation

Implementing a One-Time Password system is not a walk in the park, and the system may need to be fixed in some instances. For instance, if you decide to set up a TOTP system, you may face time synchronization issues. Since TOTP uses device time, the time on the user’s device may be in a different time zone, and the server must be in sync to grant access to the user. One way to beat this problem is to use a Unix timestamp which does not use time zones to work. 

Real-World Examples

E-commerce OTP
Online Purchasing Payment E-commerce Banking

One-Time Passwords are widely used in different sectors and businesses. These businesses include e-commerce, banking, social media sites, etc. 

E-commerce

E-commerce stores are one of the top targets of cybercriminals, with losses of up to $41 billion in 2022. OTP for e-commerce sites has helped online shopping sites prevent fraudulent transactions. OTP logins help verify that the customer whose phone number or email is linked to the account is the one making the transaction. Usually, the OTP is generated at the point of registration and checkout. 

With OTP, customers can quickly enter their details and complete transactions. Examples of e-Commerce firms that use OTP include Amazon and Alibaba. 

Banking

Financial institutions use One-Time passcodes to confirm transactions and prevent fraud. When customers want to use their debit or credit cards for any transaction, an OTP is generated alongside the card details and secret PIN. The implication is that when a hacker steals a customer’s card or accesses his financial details on the dark web, he cannot confirm transactions without providing the One-Time Password sent to the customer. 

Another angle to it is that if the customer receives unsolicited OTP, it is a clear sign of a fraud attempt. 

Social media sites

Telegram and WhatsApp are some of the social media sites that use OTP to authenticate user identities. WhatsApp automatically identifies a user’s phone number using OTP via voice call. 

Government portals 

State-controlled portals containing citizens’ sensitive personal information use OTP to confirm each user on the portal. This is to avoid duplicity of personal data and an impostor from hijacking critical and covert information. 

Conclusion

We have shown you how OTP works, its importance, and the types you can use. The article also explained how to generate One-Time Passwords to safeguard your database better. 

Developing an OTP MFA system for your business is a cheap and easy way to beef up your enterprise security. Losses from data breaches can be devastating, and you don’t want that for your business. Using an OTP service protects you and your customers from the activities of cybercriminals. 

If you still have any questions, please reach out to WWT here. We will answer all your questions and help you develop an efficient OTP-generating service. 

FAQs

Which is more secure between HOTP and TOTP

Both of them guarantee the safety of transactions for different reasons. HOTP is more flexible for users due to a longer validity period. TOTP has shorter validity, less than 2 minutes but is more difficult to hack, unlike HOTP, which affords hackers more time to hijack it. 

How to Generate a One-Time Password 

You can generate passcodes using authentication OTP apps like Google or Microsoft Authenticator apps. You can also use the OTP API service to generate OTP codes or build an OTP system from scratch. 

How a One-Time Password Works

OTP generates and sends a random code of about 6 characters for a user to verify his identity. It is usually preceded by the user entering a username and password as the first verification level.

Add comments

Your email address will not be published. Required fields are marked *

Tables of contents
Related articles
Top 6 RCS Use Cases and Messaging Ideas for Your Business
Tutorials 6 minutes to read Top 6 RCS Use Cases and Messaging Ideas for Your Business
Imagine sending an SMS that goes beyond simple text that includes interactive buttons, branded visuals,...
Best AI Tools for Sales Strategies and Customer Service
Tutorials 9 minutes to read Best AI Tools for Sales Strategies and Customer Service
Since its inception, AI has been a hot topic across industries. While there’s been some...
Crafting a Winning Business Case for RCS
Tutorials 12 minutes to read Crafting a Winning Business Case for RCS: A Practical Guide to Elevating Customer Communications
According to Google’s data from 2023, there are over one billion monthly active users with...