What is “OTP,” How Does it Work and Where Exactly is it Used?

“I hear my IT department talking about ‘OTP’” and it seems that it is used in place of some passwords. What is this really, how does it work, and where exactly is this used? Thanks.

Simply stated, they are a software program (on a PC or smart phone as an app) or embedded in a purpose built hardware device (like a fob) that a user has access to and it generates a password for use to access their application they are trying to authenticate. It will generate a password that pretty much changes frequently and therefore, as opposed to a normal password that stays the same, is not static. The result is that it is more difficult for social engineering attacks used to find out passwords or hackers to harvest passwords because you really can’t write these down or store them for future use. Rather, you pretty much have to have access to this mechanism each time you authenticate. (Note: There is some variance on this depending on the type of algorithm being used – time or event – but for simplicity sake we will assume time for this article as it is most common).

So a use case for a user may look like this: The user goes to the application to login as they normally would, lets say VPN. They go to their VPN address or client on their computer, press the button on their OTP token/program, it will generate a random number, then they enter it into the application. While the number is random and changes for each use, the user needs to enter a PIN that is unique to them (like an ATM) to prove that this is their device to prevent someone getting a hold of this device and hence being able to generate a random password they can use. The PIN is entered into the application along with the one-item password. After a user enters the one time password and PIN, the application checks with a specific server that knows what that password is going to be, because it has a matching algorithm. That specific server tells the application “yes/no” and the user gets in if they entered the correct numbers.

Now to answer the question – “exactly where are they used”? Well, this is a seemingly simple answer but it would be misleading if proper context was not provided along with the response. First, consider how and why this method came about: 25 years ago, the main concern was with more information being put into digital format (on a server), and workers communicating electronically, it became a business imperative to enable employees to access this information remotely. As such, you sort of wanted to be able to tell whether this was a valid user trying to do so, or a hacker on the other side of the world – cold war style. Primarily, it was, and is still used as a “perimeter technology” meaning that it is used for VPN access to get into the network and to some degree specific applications after that. Therefore, it is really known as a “remote access” authentication technology as this is where it has been well suited.

Due to some inherent limitations, OTP is prevented from being used more pervasively beyond remote access situations. First reason, from a use case perspective. Generally, companies only require authentication to a network if you are not in one of their controlled buildings. Otherwise, you can just plug in and therefore generating an OTP to get on the network is not required. Sometimes uing an OTP for some applications may still be required but in general, forcing users to enter an OTP multiple times a day causes some level of resistance and revolt. Users generally don’t enjoy this process as the numbers can change by the time they enter the password and have to do it all over again – on top of dealing with the fob, etc. Second, are tecgnical limitations. The requirements to protect data where it it resides, is being sent or being accessed is much more demanding today than it was 25 years ago – and the OTP capability has not changed. OTP does not lock down your computers or servers, encrypt data itself, and cannot sign applications or email to validate its authenticity. Therefore, there are increasingly many places they cannot be used and another solution is required to perform those functions where a token falls short, or take its place entirely by performing all the required scenarios.