What is a One-Time Password (OTP)?
A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). The NIST organization has recently deprecated SMS as a weak form of 2FA and encourages other approaches for strong 2FA.
How do one-time passwords work?
OTPs are delivered in many ways, usually via an object the user carries with him, such as his mobile phone (using SMS or an app), a token with an LCD-display, or a security key. OTP technology is compatible with all major platforms (desktop, laptop, mobile) and legacy environments, making it a very popular choice among second-factor protocols.
Are there any limitations to traditional OTP?
- Users need to type codes during their login process.
- Manufacturers often possess the seed value of the tokens.
- Administrative overhead resulting from having to set up and provision devices for users.
- The technology requires the storage of secrets on servers, providing a single point of attack
Are there additional advantages to 2-factor authentication when using Yubico OTP?
No client software needed. The OTP is just a string. If you can send a password, you can send an OTP.
Easy to implement. Using YubiCloud, supporting Yubico OTP is not much harder than supporting regular passwords.
YubiKey ID embedded in OTP. This allows for self-provisioning, as well as authenticating without a username.