← All terms
One-Time Password (OTP / TOTP)

What is a One-Time Password (OTP / TOTP)?

A one-time password is a short code valid for a single login or transaction. TOTP, the most common form, generates time-based codes from a shared secret.

Last updated: 14 July 2026

How one-time passwords work

All OTP schemes start from a secret shared between the user's device and the server, established once, typically by scanning a QR code into an authenticator app. TOTP (time-based OTP, RFC 6238) combines that secret with the current time, hashes them, and truncates the result into a 6-digit code that changes every 30 seconds. HOTP, the older counter-based variant, increments a counter per use instead of using the clock.

At login, the user enters the current code and the server, holding the same secret and the same clock, computes the expected value and compares. No code ever needs to travel between device and server in advance, and codes expire within seconds, so replaying an intercepted one quickly becomes useless. SMS and email OTPs work differently: the server generates a random code and delivers it over the network, which makes them dependent on the security of the delivery channel.

Why OTPs matter

OTPs are the most widely deployed second factor in the world. They convert authentication from something you know alone into something you know plus something you have, which defeats the most common attack there is: credential stuffing with passwords stolen from unrelated breaches. An attacker holding only the password fails at the OTP prompt.

Not all OTP channels are equal, though. SMS codes are vulnerable to SIM-swapping and interception, which is why security guidance has steadily shifted toward app-based TOTP. And no OTP variant is fully phishing-proof: a real-time proxy site can relay a freshly typed code to the legitimate service within its validity window. That residual risk is what push notifications with number matching mitigate, and what phishing-resistant passkeys eliminate entirely. OTP still raises the bar dramatically over passwords alone and remains the pragmatic baseline factor.

OTPs in practice

Rolling out TOTP is one of the fastest MFA wins available: authenticator apps are free, work offline, and enroll in seconds from a QR code. Operational details decide the quality of the deployment: secure the enrollment flow itself, provide hashed single-use backup codes for lost devices, rate-limit verification attempts, and keep server clocks accurate since TOTP tolerates only small drift.

Mature programs treat TOTP as one tier in a spectrum, stepping users up to push approval for convenience and passkeys for the strongest assurance, with risk policies deciding when a code is required at all. Monosign includes TOTP alongside push notifications and passkeys in its MFA options, and can require OTP codes over RADIUS for VPN and network logins as well.

Frequently asked questions

What is the difference between OTP, TOTP, and HOTP?
OTP is the umbrella term for any single-use code. TOTP derives codes from a shared secret plus the current time, changing every 30 seconds; it is what authenticator apps implement. HOTP derives codes from the secret plus a usage counter, so a code stays valid until used, which suits hardware tokens without clocks but makes stolen codes riskier.
Is SMS OTP safe to use?
It is meaningfully better than a password alone, but it is the weakest OTP channel. SIM-swapping lets attackers take over a phone number and receive codes, and SS7-level interception is documented. Standards bodies including NIST discourage SMS for high-value access; prefer authenticator apps, push approval, or passkeys, and keep SMS as a fallback at most.
Can an OTP be phished?
Yes. A proxy phishing site can capture both the password and the freshly typed OTP and forward them to the real service within the code's validity window. OTP defeats stolen-password attacks but not real-time phishing. For phishing resistance, use passkeys or FIDO2 security keys, which cryptographically bind authentication to the legitimate site's origin.