How one-time passwords work
All OTP schemes start from a secret shared between the user's device and the server, established once, typically by scanning a QR code into an authenticator app. TOTP (time-based OTP, RFC 6238) combines that secret with the current time, hashes them, and truncates the result into a 6-digit code that changes every 30 seconds. HOTP, the older counter-based variant, increments a counter per use instead of using the clock.
At login, the user enters the current code and the server, holding the same secret and the same clock, computes the expected value and compares. No code ever needs to travel between device and server in advance, and codes expire within seconds, so replaying an intercepted one quickly becomes useless. SMS and email OTPs work differently: the server generates a random code and delivers it over the network, which makes them dependent on the security of the delivery channel.
Why OTPs matter
OTPs are the most widely deployed second factor in the world. They convert authentication from something you know alone into something you know plus something you have, which defeats the most common attack there is: credential stuffing with passwords stolen from unrelated breaches. An attacker holding only the password fails at the OTP prompt.
Not all OTP channels are equal, though. SMS codes are vulnerable to SIM-swapping and interception, which is why security guidance has steadily shifted toward app-based TOTP. And no OTP variant is fully phishing-proof: a real-time proxy site can relay a freshly typed code to the legitimate service within its validity window. That residual risk is what push notifications with number matching mitigate, and what phishing-resistant passkeys eliminate entirely. OTP still raises the bar dramatically over passwords alone and remains the pragmatic baseline factor.
OTPs in practice
Rolling out TOTP is one of the fastest MFA wins available: authenticator apps are free, work offline, and enroll in seconds from a QR code. Operational details decide the quality of the deployment: secure the enrollment flow itself, provide hashed single-use backup codes for lost devices, rate-limit verification attempts, and keep server clocks accurate since TOTP tolerates only small drift.
Mature programs treat TOTP as one tier in a spectrum, stepping users up to push approval for convenience and passkeys for the strongest assurance, with risk policies deciding when a code is required at all. Monosign includes TOTP alongside push notifications and passkeys in its MFA options, and can require OTP codes over RADIUS for VPN and network logins as well.