OTP stands for One-Time Password: a short code, valid once, usually for 30-60 seconds. It exists because static passwords leak. This guide explains how OTPs work under the hood, the three main delivery methods, and where each fails.

The core idea

A password you reuse can be stolen from any leak and reused forever. A code that expires in one minute and works once cannot. That is the entire security argument for OTP.

How the code is generated

HOTP (counter-based)

Server and device share a secret. Each time you request a code, both increment a counter and hash it with the secret. The output is a 6-digit code. Both sides must stay in sync.

TOTP (time-based)

Same as HOTP but the "counter" is the current 30-second time window. Google Authenticator, Aegis, Authy, and 1Password all use TOTP. No sync issue — just the clock.

SMS OTP

The server generates a random code and sends it via SMS. Simple, but the code travels over the mobile network — the weakest link.

Where OTPs fail

  • SMS OTP: vulnerable to SIM swap (attacker convinces your carrier to move your number to their SIM). If your bank uses SMS OTP, you are one social-engineering call away from losing your savings.
  • TOTP: vulnerable to real-time phishing (a fake login page relays your code to the real site).
  • Both: defeated by malware on the device that reads the code.

What comes next: passkeys

Passkeys (WebAuthn) replace OTPs entirely with cryptographic keys stored in your device. No code to type, nothing to phish. In 2026 most major services support passkeys — enable them where offered.

Frequently asked questions

Is SMS OTP still safe?

For low-value accounts, yes. For banking, crypto, or your primary email — no; use TOTP or passkeys.

Why do OTPs expire so fast?

To shrink the window a stolen code is useful. 30-60 seconds is the trade-off between security and user convenience.

Can I test OTP delivery for my app?

Yes — SMSVerifyo is used by developers to test SMS OTP flows across countries and carriers without buying real SIMs.

What if my authenticator app is lost?

Every service that uses TOTP shows a recovery code at setup time. Save it. Without it, recovery is a support-ticket ordeal.