Back to blog

How to implement One-Time Password for your project in 4 steps

Irina Podorvan
18 April, 2022

The word OTP has become very common in conversations regarding the security of online systems. 

OTPs (One-time Passwords) are unique passwords that can only be used once. They’re disposed of immediately after their one-time validity expires.

Speaking of the regular passwords, did you know that the most popular password in use today is “123456”? 

It is used by a holy 17% of the Internet population. You must already see the problem with static passwords.

But with the vast amount of data online and the unlimited stack of resources in the hands of hackers, the security of your projects has never been more important.

Unfortunately, you cannot rely on the “old school” static password systems to secure your projects. OTPs have proven to be the best fix or improvement for static password systems. OTP systems can replace the static systems on your websites, though both technologies work better together.

What does OTP mean?

What is the one-time password? To answer that, let’s see how regular password systems work: During signups, users create their passwords which they’ll have to memorize.

OTP systems are a little different. As the name would suggest, One-time passwords are a series of characters (letters or numbers) that are auto-generated and only used once for a single login session or transaction. This means users don’t own the passwords. “20129” is an example of a one-time password.

At sign-up pages, OTP systems automatically generate short passwords (passcodes) that are sent to users by email or text messages with the help of white label SMS platforms. Users are expected to read and type in these passwords to confirm their identities. This shields your systems from regular hacking techniques like phishing, password sniffing, man-in-the-middle attacks, and even replay attacks.

OTPs can be used in combination with static password systems, where they enable multiple-factor authentication for your websites and add another layer of security.

Why are OTPS better than static password generation?

99.9% of security attacks are blocked by multi-factor authentication, according to Microsoft. OTPs make multi-factor authentication possible. Static password generation is convenient for users, but people are often too careless with their passwords.

With multi-factor authentication, your password and username are not sufficient. The one-time shortcode is instantly sent to you via email or SMS (text message OTP), requesting you to further confirm your identity.

OTPs are safer and better because:

  • They’re generated automatically and instantly. This significantly prevents hacks, given that 80% of hacking incidents are caused by stolen and reused login information. 

Also considering that 81% of company data breaches are caused by poor passwords, auto-generated one-time passwords are definitely better at providing safety.

How do One-Time Passwords work?

OTP systems function based on shared secrets between the user’s app or website and the authentication server. Basically, when an unauthenticated user attempts to access the system, an authentication protocol on the network server automatically generates a series of characters or numbers (shared secrets). The protocol does so using one-time password hash algorithms.

How to generate one-time passwords?

Apps that use OTP rely on a PIN and a microprocessor-based smartcard called a token to generate the numeric or alphanumeric one-time passwords.

Verify an OTP

What is OTP verification? The actual numbers or characters of the one-time passwords are generated using the Hashed Message Authentication Code (HMAC) algorithm, together with a variable parameter. Such parameters could be;

  • Time: which creates Time-based One-time passwords (TOTP) or,
  • An event counter, which creates a HOTP: The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC)

The OTP values have timestamps that last for seconds or minutes for greater security. The one-time password is sent to the user trying to gain access to the system. The same number and OTP generation algorithm are used by the security token on the smart card to match and validate the one-time password and the user.

Request an OTP

If you’re logging into an online system that requires a one-time password (OTP), you will be sent the OTP via an SMS gateway (text messaging), by email, or through a dedicated application. 

  1. You’re required to input this code prior to finalizing your transaction online. However, the OTP code is sent to you on request.
  2. The requested OTP should arrive almost instantly. In case your OTP doesn’t arrive in under a minute, there may have been temporary network issues or delays with your Internet service provider (ISP).  
  3. You can request for another OTP to be sent to you.

Benefits of one-time passwords

One-time passwords are quite popular in the era where cyber theft threatens the safety of your infrastructure. Here are a few benefits of one-time passwords:

  • Stolen passwords/Password Sharing: 

Since the start of 2017, Hackers have published about 555 million stolen passwords on the dark web, according to Cnet. Password theft is a huge weakness of static password systems. With one-time passwords, users have no ownership and so theft is almost impossible. How do you steal a password that is automatically generated at sign-up and only lasts 60 seconds to a few minutes? Really hard!

  • Short-term validity expiration times: 

As we’ve seen already, OTPs have a short life span ranging from a few seconds to a few minutes. Common attacks like phishing and password sniffing are really difficult to pull off on systems that have OTPs.

  • An extra layer of security:

Strong passwords and good password habits are already a big problem for hackers. When you add an extra layer of security in addition to the password and the usernames, it presents a bigger challenge for hackers.  2 Factor authentication basically asks the question: “Are you who you say you are?”

  • Weak or common passwords

Passwords like “abc123”, “Password”, “123456”, etc. are the most common passwords used by a whopping 24% of Americans. Weak and common passwords are a big problem for static password systems. A problem that OTPs have been able to fix. That extra layer of security with the OTPs ensures that your identity can’t be easily stolen. Do well to practice all good password habits regardless.

Drawbacks of OTP

Like every good system, OTPs have problems too.

  • Inconvenient for users: The fact that users have to request for an OTP to be sent to users, requiring them to wait for an extra minute is a bit annoying. Users after taking the time to enter their passwords and usernames will still have to wait for these shortcodes.
  • Codes are still sent via SMS or email: The glory of OTPs lies in their short-term validity and auto-generation, which means hackers can’t intercept them. But, these codes are still sent via email or SMS. These channels are still somewhat vulnerable to high-level hackers who might just be waiting at the right moment.
  • Delays caused by network intermittence: Users are sometimes frustrated when codes arrive too late; having already expired while they wait. Sometimes the codes don’t arrive at all, and users especially in low bandwidth areas are obliged to request new OTPs over and over again. All this can be really frustrating to deal with. 

More complex to set and maintain: In a later section, we’ll discover how to set up an OTP system; especially with regards to the necessary components. In general, OTP systems are more complex to set up and maintain, compared with static systems. The extra OTP requests and verification toolkits add to the bulk.

Which big fishes have it

OTPs are generally used by brands that deal with sensitive user data. Some of these include

  • Telegram: The social media brand known for privacy.
  • Facebook: World’s most used social media platform uses OTP, although it’s not mandatory for users. 
  • Github: The open-source platform for developers around the world
  • Microsoft: Manufacturer and distributor of the world’s leading PC operating system.
  • Apple: OTPs are used across a wide range of apple products.

What do you need to implement One-Time Password in your project

You must be wondering: “How do I get OTP verification for my app?” 

OTP implementation is possible with several different technologies. Each technique brings its own trade-offs in terms of security, convenience, cost, and accuracy. The most common options are

  • Grid cards
  • Security tokens
  • Smart cards, and OTP

Grid cards

Grid cards are credit card-sized plastic cards that fit into the user’s wallets. Printed on these cards are security grids (a matrix of random numbers and letters marked in rows and columns). The security grids can be used for SMS two-factor authentication

How? Security grids can be auto-generated and sent confidentially to the users by email or SMS.  Users then enter these numbers as one-time passwords, to identify themselves on systems that use this technology.

Security tokens

How does the OTP token work? 

Security tokens are hardware devices capable of generating one-time passwords for security systems. Some of these tokens are PIN protected, assuring an extra level of security.

Smart cards and OTP

Smart cards are microprocessor-based hardware tokens also capable of generating one-time passwords using Hashed Message Authentication Code. They’re more advanced compared to regular tokens, providing stronger authentication, higher storage capacity, processing power, and ease of implementation.

Public Key Infrastructure (PKI) for OTP strong authentication

PKI technology provides one of the most comprehensive security with 2-factor authentication (2FA). In other words, they’re a more complex alternative to OTP systems.

PKI’s are also the most difficult mechanisms to implement, given the lack of corporate expertise in the technology. Certain vendors are offering a PKI-based solution as a service where enterprises don’t need to bother about key management.

Conclusion

OTPs are here to stay because they guarantee security in a way that static systems can’t. 

Regardless of what technologies you choose for your projects, you will absolutely need an email or text messaging service that takes privacy and security very seriously. 

Get in touch with the BSG for all your messaging services/OTP needs.

Other our products:

Read these articles next: