One-Time Password (OTP)

A one-time password is a code that works only once or only for a brief window, used as a second factor on top of a password or as a step-up check. Time-based one-time passwords, defined in RFC 6238, are generated from a shared secret and the current time, which is what authenticator apps display as a rotating six-digit code. The earlier HOTP scheme in RFC 4226 uses a counter instead of time.

OTP strength depends on delivery. App-generated codes are reasonably secure, while codes sent by SMS or email are weaker because they can be intercepted, redirected through SIM swaps, or phished in real time.

For CIAM, OTP is a familiar and widely supported factor, but it is not phishing-resistant. Passkeys are the stronger direction, and OTP is increasingly a fallback rather than the primary defense.

Sources

• IETF RFC 6238, TOTP: https://datatracker.ietf.org/doc/html/rfc6238