Gatera
Start free trial
All articles

May 14, 2026

What is a One-Time Password? Secure Your Team’s Access

Are you still relying on authentication codes sent to an engineer's personal smartphone? A one-time password (OTP) is a cornerstone of modern identity security, yet the way most IT teams manage them often creates a dangerous single point of failure for the entire organisation.

Defining the One-Time Password (OTP)

A one-time password (OTP) is a computer-generated alphanumeric string that authenticates a user for a single login session or transaction. Unlike traditional static passwords, which remain valid until you manually change them, an OTP is ephemeral. It expires automatically after a short period or once it has been used for a successful login.

According to NIST Special Publication 800-63B, an OTP authenticator proves possession of a specific device by generating a code derived from an embedded "secret seed". You then manually enter this code to verify your identity to a service provider. Because the code is valid for only one use, it protects against replay attacks where an adversary might capture a password to use later.

How OTP Mechanics Work: Seeds and Secrets

The security of an OTP relies on a shared secret, also known as a seed, which is known only to the authentication server and your chosen MFA management platform. When you initially set up MFA for a service like AWS or GitHub, the service provides a secret key, often in the form of a QR code.

This key is the seed. Both the server and your authenticator use this seed, along with a dynamic factor such as time or a counter, to run a cryptographic algorithm. This process produces the short code you see on your screen. For IT teams, the primary risk is not the algorithm itself, but where that secret seed is stored. If a seed is tied to an individual's personal device, you face fragmented authentication that often leads to critical lockouts during employee offboarding or device loss.

Shared OTP seed flow

TOTP vs HOTP: Technical Differences

The Internet Engineering Task Force (IETF) defines two primary standards for generating these codes. Understanding the difference between TOTP and HOTP is essential for selecting the right security posture for your team.

TOTP (Time-Based One-Time Password)

TOTP is the most common form of OTP used by modern SaaS platforms. It uses the current Unix time as the dynamic factor for its calculations.

  • The algorithm combines the shared secret with the current time, usually in 30-second increments.
  • Because the code changes every 30 seconds, the window of opportunity for an attacker to use a stolen code is extremely narrow.
  • The verifier must account for clock drift and network delay to ensure the user is not locked out due to minor time sync issues.

HOTP (HMAC-Based One-Time Password)

HOTP is counter-based rather than time-based, meaning the code changes only when you specifically request a new one.

  • Each time a code is generated, an internal counter increments on both your device and the server.
  • HOTP codes remain valid until they are used or until a newer code is generated by the user.
  • This method is often found in hardware tokens where a physical button is pressed to reveal the next code in the sequence.

The Role of OTP in Multi-Factor Authentication

Within an MFA system, the OTP serves as the "something you have" factor. Even if an attacker manages to steal your static password, they cannot access the account without the dynamic OTP generated by your shared OTP vault or hardware device.

While industry guidance from Microsoft suggests that software OATH tokens are not yet fully "phishing-resistant" like hardware FIDO2 keys, they provide a significantly higher level of security than passwords alone. For most organisations, software-based OTPs represent the optimal balance between high-level security and user friction, provided the seeds are managed centrally.

Solving the OTP Logistics Challenge

The technical brilliance of the OTP often becomes a logistical hurdle in professional environments. When you manage shared administrative accounts, relying on a single engineer’s phone to generate codes is a significant liability. For a MFA management for MSPs, this creates "Single Points of Failure" where an absent or departing staff member can inadvertently block access to critical client infrastructure.

To maintain security and uptime, you must move away from individual devices and toward a model of MFA for teams. By learning how to safely share MFA codes, you can store OTP seeds in a dedicated, encrypted environment with role-based access control. This approach ensures that authentication is a corporate asset rather than a personal one, allowing for instant revocation of access and providing the granular audit logs necessary for modern compliance.

Centralised team OTP vault

Stop letting your team's access to critical systems live on personal smartphones. Secure your shared secrets in a centralised vault to maintain absolute control over your authentication workflow.

Start your 14-day free trial with Gatera today – no credit card required.

Ready to secure your team's MFA codes?

Gatera centralizes all your OTP codes in an encrypted vault. No more personal phones, no more chaos.

Start your 14-day free trial