Blog

Improve security with OTPs: Guide to one-time passwords

Amy Elliott
· 9 min read · Tips and resources · October 21st, 2022
If you’re looking for a way to make your customers’ experience and your app or website more secure, one-time passwords (OTPs) are the ideal solution—and you can start sending them today with MailerSend!

The use of the internet in our everyday lives and businesses has grown into something almost unimaginable. We’re managing whole businesses online with remote workers all over the world, running online storefronts and offering exclusively internet-based services. With so much of what we do now residing online, it’s no surprise that the rate of security breaches has exploded right alongside it. But, there are solutions that businesses can implement to protect themselves and their customers—in this article, we’re talking OTPs. 

One-time passwords are a simple yet highly effective way to prevent hackers from gaining access to online accounts. They work by providing a unique password every time the user logs in. 

Keep reading to learn more about OTPs and how they work, plus how you can easily set up and start sending OTPs with MailerSend. Let’s get to it!

What is an OTP?

A one-time password (sometimes referred to as one-time passcode) is an algorithm-generated password used to authenticate a single transaction or login session. 

OTPs can be used for the entire authentication process, for example, using an OTP on its own to log in along with the user’s username, email address or phone number. Or, it can be a part of a multi-layer authentication process, such as two-factor authentication (2FA) or multi-factor authentication (MFA). This involves the user logging in with static credentials and then using an OTP as an additional layer of authentication. 

OTPs offer additional security because:

a) They provide a unique password every single time the user completes a transaction or logs in, therefore the password cannot be discovered and used again.

b) OTPs are stronger and more secure passwords that are made up of random characters compared to user-generated passwords which are often weaker and more predictable.

Types of OTPs

There are three types of OTPs, each of which uses a different method to generate the password. The OTPs can be generated by a security token in the form of a device (hard token) or mobile phone app (soft token), or be delivered via SMS or email.

Time-based one-time passwords (TOTPs)

TOTPs generate new passwords based on the current time which are then usually delivered via an authenticator app (like Google Authenticator, Microsoft Authenticator or Authy) or via a hardware device. 

They use two pieces of information to generate the OTP. The first is a static secret key or seed which is known by the user’s token and the authentication server that validates the OTP. The second is the moving factor—in the case of TOTPs, a time-based counter. To calculate the time counter, a Unix timestamp is used along with the pre-set time limit (or timestep) of an OTP (typically 30 or 60 seconds). 

To generate the OTP, the secret key and timestep are input into a cryptographic hash function. The OTP must then be used within the assigned timestep, before it becomes invalid.

Graph showing how TOTP works.

Hash-based one-time passwords (HOTPs)

These are also known as HMAC-based one-time passwords, as they use the hash-based message authentication code (HMAC) open source standard.

Like TOTPs, HOTPs use a secret key or seed as well as a moving factor. The moving factor differs here though, as it is based on an event-activated counter rather than time-based. The counter is stored in the token and on the server. The counter on the token counts the number of OTPs that are generated when the button on the token is pressed. The counter on the server counts the number of OTPs once each one is validated. This means that HOTPs are not time-limited. 

To generate the hash-based OTP, the secret key and counter are inserted into a one-way cryptographic hash-function that generates the OTP. Unlike TOTPs, it will remain valid until the user requests another OTP that is then validated.

Graph showing how HOTP works.

Transmission-based OTP

This type of OTP implementation is the most common, and one of the easiest ways to set up OTP. It involves generating unique, temporary passwords that are then sent to the user via push notification, text message or email. 

Transmission-based OTP is easier to implement for developers as there is no need for two separate devices to create and validate the passwords. Password generation and authentication is done by the same server. The most common way to deliver passwords is by SMS.

Note: Hard vs. soft tokens

Hard tokens refers to physical devices that generate OTPs such as USB drives, fobs, smart cards and bluetooth devices. An example of a popular OTP hardware provider is Yubico. Soft tokens refers to software that generates OTPs, such as authentication apps like Google Authenticator.

OTPs vs. static passwords

Static passwords are the passwords users select for their accounts that remain in use until the user changes it. They are cause for concern for businesses as, if the user keeps the same password for an extended period of time, it’s more likely that the password is discoverable.

What’s more, with so much of what we do online, having a static password for every single account can add up to hundreds of passwords. The majority of users opt for convenience by re-using the same password over and over again, as well as something that will be memorable rather than unique and secure. 

By implementing OTPs for your business, not only are you removing the option for users to create weak passwords, but you’re also improving the user experience by making secure login easy. There’s no need for them to write down, save or try to simply remember their password. You’ll also be doing them a favor by making their personal information and account details more secure.

How your business can benefit from OTP

You’ve probably noticed the widespread use of OTPs from your own online experience. That’s because OTPs are a reliable way to increase security. Let’s take a look at some of the benefits.

1. Prevent replay attacks

A replay attack involves a cybercriminal eavesdropping on a secure network, intercepting a data transmission and then delaying or repeating it. By using this method, hackers can intercept users’ passwords and then use them. OTPs can prevent this from happening as, by the time the cybercriminal attempts to use the password, it is no longer valid. Either because the time limit for the OTP has expired or it has already been used by the end-user and is therefore no longer valid for use. 

2. Improve users’ security practices

Since many users are lax about the strength and security of their passwords, implementing OTPs as an alternative removes the potential for hackers to exploit them. What’s more, using OTPs as part of a multi-factor authentication process helps to override the weakness of bad passwords by adding another layer of security that hackers can’t usually intercept. 

3. Convenient for the end-user

OTPs are an easy and reliable way to protect your user's data and accounts from attack. Additionally, using OTPs makes it easier to manage account access—there’s no need to use bad (albeit memorable) passwords, try to remember stronger passwords, or keep them saved anywhere. Even better, OTPs are completely free for the end-user. 

4. Quick, automated sending

Delivering new, randomly generated OTPs is super quick and painless—there’s no need for users to sit around waiting to log in or complete their purchase. Generating new OTPs via device or app is instant, and with the correct implementation and infrastructure, delivering OTPs via email or SMS is just as fast and seamless. 

5. Keep IT admins happy

Password management requires a lot of time and effort to implement and maintain good practices. With OTPs, admins needn’t worry about security for password storage, policies, password rules and timelines and so on. They can dedicate their time elsewhere while OTP automates everything. 

How to set up OTP with MailerSend

With MailerSend, you can easily send OTPs via SMS and email thanks to our developer-friendly APIs. Let’s take a look at how to set up both.

First, in order to have the one-time password, you'll need to create a function to generate a random number and add a validity timeframe to the function. You'll also need to create the function to validate the OTP when the user enters it.

Once you’re done, you can choose between sending the OTP via email or text:

Set up OTP emails

Send an email using one of your templates—remember the sending instructions are available under the template settings!

Be sure to include a variable containing your random number like {{otp}}. You can then use the following sending instructions to send an HTML email:

{
   "from":{
      "email":"hello@{{sendingdomain}}",
      "name":"Awesome Company"
   },
   "to":[
      {
         "email":"jane@mailersend.com"
      }
   ],
   "subject":"Your {{company}} verification code",
   "html":"<b>Hi {{name}}!</b>
   	 <br>
   	 <br>To help us make sure it's really you, here's the verification code you'll need to log in:
   	 <br>
   	 <b>{{otp}}</b>.
<br>
   	 <br>
   	 If this wasn't you logging in, and you use a password to log in, please reset your password. To further secure your account, please set up two-step authentication.
   	 <br>
   	 This code will expire in <b>1 hour</b>. Once the code expires, you will need to request a new verification code by going through the login procedure again",
   "personalization":[
      {
         "email":"agathe+1@mailersend.com",
         "data":{
            "company":"MailerSend",
            "name":"Jane",
            "otp":"1234567890"
         }
      }
   ]
}

Set up OTP SMS

You can follow the same method to send an SMS, using the following sending instructions:

{
   "from":"+18332947701",
   "to":[
      "+18332403627"
   ],
   "text":"Hey {{name}}! Your {{company}} verification code is {{otp}}. ",
   "personalization":[
      {
         "phone_number":"+18332403627",
         "data":{
            "name":"Jane",
            "otp":"1234567890"
         }
      }
   ]
}

Make sure you have a field on your login page that appears when the user enters their email address so that they can enter the one-time password.

OTP for a secure, reliable user experience

OTPs are more than just another type of transactional message you can send your recipients. It’s a way to improve security for your business and users, and provide a better, more professional customer experience. Whether you’ve experienced a breach or not, implementing some form of OTP, either for login, transaction verification or MFA, is a must for businesses that prioritize security.

Will you be using MailerSend to send OTP emails or text messages to your users? Tell us about your use case in the comments!

Start using OTP now!

Sign up to MailerSend’s transactional messaging service to start sending OTP SMS and emails. Get 3,000 emails free or upgrade to get SMS, more emails and advanced features.

Amy Elliott
I’m Amy, Content Writer at MailerSend. As a child, I dreamt about writing a book and practiced by tearing pages from an A4 notepad and binding them with sugar paper. The book is pending but in the meantime, I love taking a deep dive into technical topics and sharing insights on email metrics and deliverability.