Have you ever waited for a confirmation code to arrive at your email or mobile device? Which means that you have worked with an OTP implementation. OTP stands for One time Password. One Time Passwords are there in most of the authentication processes that we see on the web. Following are a few examples.
One Time Passwords(OTP) should be related to one single session of the user. These should not be allowed to be reused for multiple sessions for security reasons. For additional security, there are Time based One Time Passwords(TOTP) which may expire after some time. When TOTP are there you must provide it within the indicated time.
Single Factor Authentication(SFA) and Two Factor Authentication(TFA) are two different models of authentication. SFA is when the user is asked for authentication details just one time. Traditional login forms are a good example for this. TFA is when the user is asked to provide two or more authentication factors. OTPs are a type of TFA authentication.
Implementing an OTP can be a bit costly but this can give your application the following benefits.
Following is a general architecture for a OTP implementation.
Note the following about this architecture.
We can always change the architecture due to the security requirements.
Even though an OTP can be set as time restricted, these can be theoretically cracked by several methods. (For example, by brute force.) We have increase the randomness and the uniqueness of the OTP. To make an OTP more complex and unique, we can combine it with a hash generated by the user password. Also the UNIX timestamp of the OTP generation time can be used for the same purpose.
There is a market sector including the OTP services, devices, etc. The OTP segment is part of a more global two-factor authentication market evaluated at $3,5B in 2018. It will reach $8,9B by 2024, as revealed by global market researchers. Primary customers are enterprises, banking, finance, insurance and securities, government, healthcare, and gaming where user account safety is more important.
https://en.wikipedia.org/wiki/One-time_password https://www.thalesgroup.com/en/markets/digital-identity-and-security/technology/otp https://www.researchgate.net/figure/Classic-two-factor-authentication-flowchart_fig10_283489178