There are several risks associated with storing your passwords in Google Sheets, including its lack of end-to-end encryption by default and lack of secure sharing capabilities.
A One-time password is an automatically generated numeric code that can only be used once. One-time passwords are used to authenticate users before they can access an account or system and are often used as a form of Multi-Factor Authentication (MFA) to add additional verification factors to an account. Many companies, such as financial institutions, send their users one-time passwords to verify their identity before they grant them access to sensitive accounts and information.
Continue reading to learn more about one-time passwords, how they differ from Time-based One-Time Passwords (TOTP) and how you can start receiving them.
OTP vs TOTP: What’s the Difference?
The main difference between a One-Time Password (OTP) and a Time-based One-Time Password (TOTP) is that OTP is an umbrella term used to refer to the different types of one-time passwords, whereas TOTP is a specific type of one-time password.
A time-based one-time password is an automatically generated code that is only valid for a certain amount of time and is used to verify a user’s identity. TOTP codes are typically only valid for 30 to 60 seconds. After a TOTP code expires, a new one is generated and it can only be used within the time frame it’s valid for.
What Are the Types of One-Time Passwords and How Do They Work?
There are two main types of one-time passwords: TOTP and HOTP. The way it works depends on the type of one-time password you use.
How TOTP works
Time-based one-time passwords work by a user first scanning a QR code provided by the account server using a dedicated authenticator application or password manager that supports TOTP codes. Scanning the QR code provides the authenticator app with a secret algorithm that the server also shares. A six-digit code is then generated every 30-60 seconds. Alternatively, the user can also enter a secret key to set up the TOTP.
When the user logs in to the account that has TOTP enabled, they must input the six-digit code provided by the authenticator application before it expires. When a user enters the TOTP code in time, they can successfully log in to their account.
How HOTP works
Hash-based One-Time Passwords (HOTP) use a different factor than TOTP to calculate a code called Hash-based Message Authentication Code (HMAC). HOTP is counter-based, rather than time-based, since it calculates the code by counting the number of times the code is requested.
HOTP codes are valid until they’re used or a new HOTP code is requested.
The Benefits of Using One-Time Passwords
There are two major benefits to using one-time passwords: preventing account compromise and protecting against replay attacks.
One-time passwords help prevent account compromise
One-time passwords, like any other MFA method, protect your online accounts from becoming compromised even if someone has access to your login credentials. One Microsoft research report found that MFA can block over 99.9% of account compromise attacks.
Here’s an example: let’s say the username and password to one of your online accounts is exposed in a public data breach and a cybercriminal gets their hands on those breached credentials. Since they know which account the credentials belong to, they attempt to log in to that account. However, once they’ve entered the credentials in the login portal, they’re asked to provide the one-time code that is displayed in your password manager.
Since the cybercriminal doesn’t have access to your password manager, they won’t be able to provide the one-time code, meaning they won’t be able to log in to your account.
One-time passwords can protect you from replay attacks
A replay attack, also called a repeat or playback attack, is a type of cyber attack where cybercriminals eavesdrop on your network and then intercept the data being exchanged so they can delay or repeat the data later. When a cybercriminal successfully intercepts the data, they also steal the client’s session ID so they look like a valid client on the network.
What makes one-time passwords so secure is that they can only be used once, so even if a cybercriminal were able to use a replay attack to intercept your login credentials for one of your accounts, the one-time password you entered would be invalid for them to reuse.
How To Receive a One-Time Password
You can start receiving one-time passwords by enabling them in the security settings for each of your online accounts. When you enable one-time passwords on an account, you’ll be asked how you want to receive them. The following will be some of your options.
Note: Not all websites support the use of one-time passwords as a form of MFA.
- SMS text message: Choosing this option will allow you to receive your OTP codes through text message. While this is convenient, this is the least secure way to receive your one-time passwords due to SIM swapping attacks.
- Phone call: Choosing this option will allow you to receive OTP codes through a phone call. This OTP option is also susceptible to SIM-swapping attacks.
- Email: Choosing this option means you’ll be sent an OTP code through email. However, emails are commonly targeted accounts so if your email is compromised, a cybercriminal would be able to get the OTP code.
- Authenticator application: Choosing this option means you’ll need to download a separate application on your phone like Google Authenticator. The codes generated by authenticator applications are time-based so you’ll need to enter them before they expire. Some password managers like Keeper® also come with an option to generate the one-time passwords for your accounts.
Secure Your Accounts With Strong Passwords and OTP
Together, strong passwords and one-time passwords help keep your online accounts secure from compromise. Each online account should have a unique, strong password that is never reused and doesn’t contain common dictionary words or phrases.
The best way to ensure you’re always using strong passwords is by using a password generator. Many password managers have built-in password generators to aid you in creating strong passwords for each of your accounts, while also securely storing them for you. In addition to a strong password, your accounts should also have one-time passwords or another method of MFA enabled.
Keeper Password Manager can help you keep your accounts secure by aiding you in the creation and storage of your passwords and one-time passwords. Start securing your online accounts with Keeper by starting a free 30-day trial.