Understanding OTP: How One-Time Passwords Work Under the Hood
A deep dive into the technology behind one-time passwords — TOTP, HOTP, and SMS-based OTP — and how they keep your accounts secure.
One-time passwords (OTPs) are everywhere: from logging into your bank account to confirming a food delivery. But how do they actually work? This article explains the mechanisms behind the codes you type every day.
What Is an OTP?
An OTP is a password that is valid for only one login session or transaction. Unlike static passwords that remain the same until you change them, OTPs expire after a single use or after a short time window. This makes them significantly harder for attackers to exploit.
Three Types of OTP
1. SMS-Based OTP
The most common form. A server generates a random code, stores it temporarily, and sends it to your phone via SMS. When you enter the code, the server checks it against the stored value and, if it matches, grants access.
**Strengths:** Universal — works on any phone that can receive texts. No app installation needed.
**Weaknesses:** Vulnerable to SIM-swap attacks and SS7 protocol exploits. Delivery can be delayed by carrier issues.
2. TOTP (Time-Based One-Time Password)
Used by apps like Google Authenticator and Authy. Both the server and your device share a secret key. Every 30 seconds, both sides independently compute a new 6-digit code using that key and the current time. Since both sides use the same algorithm and the same clock, the codes match.
**Strengths:** Works offline. Not vulnerable to SIM swapping. Codes rotate every 30 seconds.
**Weaknesses:** If you lose your device, recovery can be difficult. Requires initial setup via QR code.
3. HOTP (HMAC-Based One-Time Password)
Similar to TOTP, but instead of using time, it uses an incrementing counter. Each time you generate a code, the counter advances by one. The server tracks the counter value and validates accordingly.
**Strengths:** Does not depend on synchronized clocks. Works in environments without reliable time sources.
**Weaknesses:** Can get out of sync if the counter on the device and server diverge.
The Math Behind TOTP
TOTP uses the HMAC-SHA1 algorithm. Here is a simplified version of the process:
1. Take the shared secret key and the current Unix timestamp divided by 30 (the time step)
2. Compute HMAC-SHA1(secret, timestamp / 30)
3. Extract a 4-byte segment from the hash (dynamic truncation)
4. Convert those bytes to a number and take modulo 10^6 to get a 6-digit code
This entire process happens in milliseconds, both on the server and on your authenticator app.
Why OTPs Matter for Developers
If you are building an application that uses SMS-based OTP, you need to test the entire flow thoroughly:
- Does the code arrive within an acceptable time window?
- Does the code expire correctly after the configured TTL?
- Does rate limiting kick in after too many failed attempts?
- Does the system handle edge cases like expired codes or reused codes?
Temporary phone numbers are valuable for this kind of testing because they let you run end-to-end verification without managing real SIM cards or burning through paid SMS credits.
Conclusion
OTPs are a cornerstone of modern authentication. Understanding how they work — whether time-based, counter-based, or SMS-delivered — helps you make better decisions about security in the applications you build and the services you use.