A One-time password (OTP for short) is a password that is only valid for a single use. The idea is to make the password more secure by limiting the amount of time that an attacker could try to guess it or intercept it as it is used by its legitimate owner.

OTPs are most commonly generated by a device, in the physical size and shape of a credit card or key fob, which displays a new, pseudo-random number every 60 seconds. A user signs into a system using such a device by keying in the current displayed number plus a PIN. The system authenticates the user by calculating what number the device should currently be displaying, based on the current time and date and a random seed known to belong to that device. Combining a one-time-password device and a PIN in this way is a form of multi-factor authentication.

One time passwords may be generated in other ways. For example, users might be given a sheet of paper with a series of randomly generated strings and instructed to use them, one at a time, in sequence. One time passwords may be generated through a calculated sequence, rather than be time based.

One time passwords may be generated by a device given to users, or by software installed on their mobile phones, or by software installed on their PC. The latter types are sometimes referred to as soft tokens (i.e., software based tokens) in contrast to the hard tokens -- physical devices which they replaced.

Vendors of one-time-password devices include RSA Security, Vasco and Dell/Quest.

The security of OTP devices generally depends on the secrecy of the initial secret used to generate the OTP sequence. This was made evident by a major security compromise at RSA Security in 2011, where it is purported that a successful penetration into RSA's network led to the compromise of all seeds for all then-issued RSA tokens, thereby calling into question the trustworthiness of all RSA tokens at all RSA customers.

Hitachi ID Password Manager includes features to assist users who have an OTP token and experience a login issues, such as a forgotten PIN or misplaced token. It supports self-service PIN reset, emergency passcode issuance, clock synchronization and more.

Return to Identity Management Concepts