What Is an OTP Code? One-Time Passwords Explained
Every time an app texts you a six-digit code to confirm a login, you are using a one-time password, or OTP. It is one of the most common security mechanisms on the internet, yet almost nobody knows what actually happens between tapping “send code” and the number arriving on your screen. This guide explains what an OTP is, the two mathematical families behind it (HOTP and TOTP), how codes are generated and validated, and why the delivery channel — SMS, app, or email — matters far more than the code itself.
What is a one-time password?
A one-time password is a code that is valid for a single login attempt or a single short time window, after which it expires and can never be reused. That “used once” property is the whole point: even if an attacker intercepts the code, it is worthless seconds later. This is what separates an OTP from your normal password, which stays valid until you change it.
OTPs are almost always used as a second factor on top of a password, forming two-factor authentication (2FA). The password is something you know; the OTP proves you also hold something you have — your phone, a hardware token, or an authenticator app.
HOTP vs TOTP: the two kinds of OTP
Almost every OTP you have ever seen is built on one of two open standards published by the IETF.
HOTP — counter-based (RFC 4226)
HOTP derives the code from a shared secret key plus a counter that increments by one every time a code is generated. Both the server and your device know the secret and the current counter, so they compute the same code independently. Because it depends on a counter rather than the clock, an HOTP code stays valid until it is used — which is convenient but slightly weaker.
TOTP — time-based (RFC 6238)
TOTP replaces the counter with the current time, rounded to a 30-second window. This is what Google Authenticator, Authy, and Microsoft Authenticator produce: a code that changes every 30 seconds. Because the code is tied to the clock, it expires quickly on its own, which is why authenticator apps are considered stronger than counter-based tokens.
The maths is straightforward: TOTP = HOTP(secret, floor(current_time / 30)). Both sides run the same HMAC-SHA1 (or SHA-256) computation and truncate the result to six digits.
secret = shared key (set at enrolment, e.g. from a QR code) time = 1737000000 (Unix seconds) step = floor(time / 30) = 57900000 code = truncate( HMAC-SHA1(secret, step) ) mod 10^6 // => "482913" (valid for ~30 seconds)
Why the QR code? When you scan a 2FA setup QR code, you are copying the shared secret into your authenticator app. From that moment, your app and the server can independently generate matching TOTP codes without ever talking to each other again — no internet required to produce the code.
How OTPs are delivered — and why it matters
The code itself is only as safe as the channel that carries it. Ranked from weakest to strongest:
| Channel | How it works | Main weakness |
|---|---|---|
| Email OTP | Code emailed to your inbox | Only as secure as your email account |
| SMS OTP | Code texted to your number | SIM swapping, SS7 interception, VoIP |
| TOTP app | Code generated locally on device | Phishing (user types code into fake site) |
| Push approval | Tap “approve” in an app | MFA fatigue / accidental approval |
| Hardware key / passkey | Cryptographic challenge, no code typed | Effectively phishing-proof |
The key insight: an SMS OTP and a TOTP app code can be the same six digits, but the SMS version can be stolen in transit through SIM swapping or SS7 attacks, while the TOTP code never leaves your device. That is why NIST classifies SMS as a “restricted” authenticator.
Getting the most out of OTPs
Prefer an authenticator app over SMS for any account that matters. Never read a code aloud to anyone who calls you — no legitimate company asks for it. Watch the sender and the wording: a code you did not request means someone is trying to log in as you. And for testing or throwaway signups where the account has no value, a temporary number lets you receive an SMS OTP without exposing your real one.
Try temporary numbers, free
Receive SMS online with a disposable phone number from 40+ countries — no registration. Best for testing and low-risk signups.
Use the Free ToolAuthoritative sources & further reading
- RFC 4226 (HOTP) — the original counter-based OTP standard
- RFC 6238 (TOTP) — the time-based OTP standard behind authenticator apps
- NIST SP 800-63B — US digital identity guidelines on authenticators
- MDN Web Docs: OTP — developer reference on one-time passwords
- OWASP MFA Cheat Sheet — implementation best practices
Frequently asked questions
What does OTP stand for?
OTP stands for one-time password: a code valid for a single use or a single short time window, after which it expires.
Is a TOTP app safer than SMS?
Yes. A TOTP authenticator app generates the code locally on your device, so it cannot be intercepted through SIM swapping or SS7 attacks the way an SMS code can.
Why do authenticator codes change every 30 seconds?
TOTP codes are derived from the current time rounded to a 30-second window, so a new code is produced automatically at each interval.