What Is an OTP Code? One-Time Passwords Explained

Every time an app texts you a six-digit code to confirm a login, you are using a one-time password, or OTP. It is one of the most common security mechanisms on the internet, yet almost nobody knows what actually happens between tapping “send code” and the number arriving on your screen. This guide explains what an OTP is, the two mathematical families behind it (HOTP and TOTP), how codes are generated and validated, and why the delivery channel — SMS, app, or email — matters far more than the code itself.

What is a one-time password?

A one-time password is a code that is valid for a single login attempt or a single short time window, after which it expires and can never be reused. That “used once” property is the whole point: even if an attacker intercepts the code, it is worthless seconds later. This is what separates an OTP from your normal password, which stays valid until you change it.

OTPs are almost always used as a second factor on top of a password, forming two-factor authentication (2FA). The password is something you know; the OTP proves you also hold something you have — your phone, a hardware token, or an authenticator app.

How an OTP login worksUser enterspasswordServer requestssecond factorOTP generated(6 digits)User submitscodeServer verifies& expires it
The lifecycle of a one-time password, from request to expiry.

HOTP vs TOTP: the two kinds of OTP

Almost every OTP you have ever seen is built on one of two open standards published by the IETF.

HOTP — counter-based (RFC 4226)

HOTP derives the code from a shared secret key plus a counter that increments by one every time a code is generated. Both the server and your device know the secret and the current counter, so they compute the same code independently. Because it depends on a counter rather than the clock, an HOTP code stays valid until it is used — which is convenient but slightly weaker.

TOTP — time-based (RFC 6238)

TOTP replaces the counter with the current time, rounded to a 30-second window. This is what Google Authenticator, Authy, and Microsoft Authenticator produce: a code that changes every 30 seconds. Because the code is tied to the clock, it expires quickly on its own, which is why authenticator apps are considered stronger than counter-based tokens.

The maths is straightforward: TOTP = HOTP(secret, floor(current_time / 30)). Both sides run the same HMAC-SHA1 (or SHA-256) computation and truncate the result to six digits.

secret  = shared key (set at enrolment, e.g. from a QR code)
time    = 1737000000  (Unix seconds)
step    = floor(time / 30) = 57900000
code    = truncate( HMAC-SHA1(secret, step) ) mod 10^6
// => "482913"  (valid for ~30 seconds)

Why the QR code? When you scan a 2FA setup QR code, you are copying the shared secret into your authenticator app. From that moment, your app and the server can independently generate matching TOTP codes without ever talking to each other again — no internet required to produce the code.

How OTPs are delivered — and why it matters

The code itself is only as safe as the channel that carries it. Ranked from weakest to strongest:

ChannelHow it worksMain weakness
Email OTPCode emailed to your inboxOnly as secure as your email account
SMS OTPCode texted to your numberSIM swapping, SS7 interception, VoIP
TOTP appCode generated locally on devicePhishing (user types code into fake site)
Push approvalTap “approve” in an appMFA fatigue / accidental approval
Hardware key / passkeyCryptographic challenge, no code typedEffectively phishing-proof

The key insight: an SMS OTP and a TOTP app code can be the same six digits, but the SMS version can be stolen in transit through SIM swapping or SS7 attacks, while the TOTP code never leaves your device. That is why NIST classifies SMS as a “restricted” authenticator.

Video: a short explainer on what a one-time password is and how it protects your accounts.

Getting the most out of OTPs

Prefer an authenticator app over SMS for any account that matters. Never read a code aloud to anyone who calls you — no legitimate company asks for it. Watch the sender and the wording: a code you did not request means someone is trying to log in as you. And for testing or throwaway signups where the account has no value, a temporary number lets you receive an SMS OTP without exposing your real one.

Try temporary numbers, free

Receive SMS online with a disposable phone number from 40+ countries — no registration. Best for testing and low-risk signups.

Use the Free Tool

Authoritative sources & further reading

Frequently asked questions

What does OTP stand for?

OTP stands for one-time password: a code valid for a single use or a single short time window, after which it expires.

Is a TOTP app safer than SMS?

Yes. A TOTP authenticator app generates the code locally on your device, so it cannot be intercepted through SIM swapping or SS7 attacks the way an SMS code can.

Why do authenticator codes change every 30 seconds?

TOTP codes are derived from the current time rounded to a 30-second window, so a new code is produced automatically at each interval.