OTP

OTP (One-Time Password) is a single-use authentication code, typically 6 digits, that’s valid for a short window. Combined with a regular password it forms two-factor authentication (2FA).

Three common delivery channels:

• SMS OTP — code texted to the user’s phone. Most common, also least secure (SIM-swap attacks).
• TOTP (time-based, RFC 6238) — generated by an authenticator app from a shared secret + current time. No network needed. Common in Google Authenticator, Authy, 1Password.
• HOTP (counter-based, RFC 4226) — increments a counter per use. Now rare except for hardware tokens like YubiKey OTP mode.

OTPs defeat password reuse attacks (the stolen password alone is useless) but don’t defeat modern phishing — an attacker who phishes the OTP can replay it within the validity window. Hardware-key based (FIDO2 / WebAuthn) authentication does defeat phishing because the key proves it’s on the legitimate site.