One-Time Password

A one-time password (OTP) is a disposable credential that becomes invalid after a single use. Unlike static passwords, a compromised OTP cannot be reused, providing strong resistance against credential stuffing and phishing attacks.

Two main OTP schemes exist. TOTP (Time-based One-Time Password) generates a 6-digit code every 30 seconds from a shared secret and the current time. HOTP (HMAC-based One-Time Password) uses a counter instead of time. TOTP dominates today, powering Google Authenticator, Microsoft Authenticator, and similar apps.

QR codes play an essential role in TOTP setup. The service encodes the shared secret as an otpauth://totp/... URI and displays it as a QR code. The user scans it with their authenticator app, and the secret key is securely registered - no manual entry of a 32-character Base32 string required.

This QR-based onboarding dramatically accelerated two-factor authentication adoption. Without the one-step scan, the barrier for average users to enable TOTP would have been prohibitively high.