Glossary
What is a one-time password (OTP)? TOTP vs HOTP vs SMS, and its limits
A one-time password (OTP) is a disposable code valid only once and only briefly. Learn the difference between an authenticator app's TOTP, counter-based HOTP, and an SMS code, why it's strong against leaked passwords, and its limit — adversary-in-the-middle phishing can still defeat it. Defensive, no attack steps.
Single-use and disposable — that's a one-time password (OTP). Here are the types and a limit people often miss: phishing can still defeat it (no attack steps).
The types: TOTP / HOTP / SMS-OTP
They all get lumped together as "disposable codes," but they split into three by how they're generated.
TOTP (time-based)
The app computes it from a shared secret + the current time. Rotates about every 30s. Works offline.
HOTP (counter)
Advances by a count, not time. Each press gives the next code. Used by hardware tokens.
SMS-OTP
Sends the code by SMS. Convenient but weak to SIM swaps and relaying — the frailest method.
All share the "single-use, short-lived" nature, so even if a fixed password leaks, the code itself is hard to reuse. TOTP especially is computed inside the app without any network round-trip, so it has no interception path like SMS does.
Strengths and limits: you can still "hand it over" to phishing
OTP patches the weaknesses of fixed passwords, but it isn't a silver bullet. The decisive limit is that a human reads and types the code.
Where OTP works
- stops takeovers from leaked / reused passwords
- even if seen, it's invalid quickly and hard to reuse
- authenticator-app TOTP works offline and resists interception better than SMS
Where OTP breaks
- adversary-in-the-middle (AiTM) phishing: a fake site relays the OTP to the real one and logs in
- SIM swapping: hijack the phone number and siphon the SMS-OTP
- root cause = a human can hand the code to a fake site (it isn't bound to the domain)
This site's view: OTP is a waypoint; the destination is passkeys
OTP is an excellent first step out of "password only." In fact, whether SMS or TOTP, just turning it on stops most takeovers. But this site treats OTP as a waypoint, not the destination. As long as adversary-in-the-middle phishing is a real threat, the end state is a passkey (FIDO2), whose signature is bound to the domain and structurally can't be presented to a fake site. The priority is clear: turn OTP on everywhere first, then raise your keys-to-the-kingdom accounts (email, domain, payments) to passkeys. The point is not to rely on "spotting the fake site by being careful."
Read next
- Glossary: what two-factor authentication (2FA) is (the context where OTP is the "second proof") · what a passkey is (phishing resistance beyond OTP's limit)
- Glossary: what phishing is (understand the AiTM attacks that relay an OTP)
- Learn: choosing MFA the right way (method selection in practice)
FAQ
QHow is a one-time password different from a regular password?
A regular password stays the same (fixed) until you change it, so once it leaks it can be abused until you rotate it. A one-time password (OTP) is disposable — valid only once and only briefly — and becomes invalid the moment it's used. That makes it hard to reuse even if it's seen, covering the weaknesses of fixed passwords (leaks and reuse). Many services use it as a second proof on top of your password, as one method of two-factor authentication.
QIs an SMS one-time password safe?
It's clearly stronger than a password alone, but it's the weakest kind of OTP. SMS can be intercepted via SIM swapping (hijacking your phone number) or siphoned by adversary-in-the-middle phishing where a fake site relays it. Where you can, move to an authenticator app's TOTP, and for important accounts, to a passkey.
QWhy does the authenticator-app code change every 30 seconds or so?
Because it's a TOTP (time-based one-time password). The app and the service each compute the same code from a shared secret and the current time, on a fixed interval (often 30 seconds). When the interval passes, the old code becomes invalid and a new one takes over. Keeping it short-lived narrows the window in which a stolen code is usable.