Proton
A Proton blog cover image showing a phone screen with an empty one time password code field

One-time passwords are one of the most common forms of two-factor authentication (2FA). In this blog, we’ll help you understand what a one-time password is, the different types of one-time password you might receive, and how to stay safe when you’re logging into your accounts. 

What is a one-time password?

How are one-time passwords created?

What is a one-time password used for?

Can one-time passwords be exploited?

Staying safe with one-time passwords

What is a one-time password?

One-time passwords are one of the most popular methods for 2FA and multi-factor authentication (MFA). 2FA involves using two methods of user authentication, and using more than two methods of authentication is known as multi-factor authentication (MFA). 

One-time passwords are just one type of many user authentication methods that you can use. The more ways you authenticate your identity, the harder it is for someone to imitate you. The three key methods of user authentication include:

  • Something you know: This could be a password, a PIN, or the answer to a security question.
  • Something you are: This could be any biometric data unique to you, like your fingerprint, face ID, or retina scan.
  • Something you have: This could be either a physical token or a digital token. Physical tokens could include an ID badge or a security key. Digital tokens could include a one-time password sent as an SMS or generated by an authentication app.

A one-time password is a method for logging into an account, similar to a password or touch ID. Often, it’s a randomly generated set of numbers or letters sent to your device to help you log into an account on a one-time basis. You can also receive a one-time password via an authenticator app, a phone call, or a security key. 

As the name suggests, you can only use a one-time password once. Most one-time passwords will also expire after a certain amount of time, so they’re an effective method for confirming that you’re using a specific device at a specific time. 

They’re compatible with any device and any platform. Users aren’t required to take an action like downloading an app or using a security key to use them. They’re also easy, requiring little to no tech knowledge to use. Think of them as a ring of protection around your account – the more rings you put in place, the harder it is for someone to gain access.

How are one-time passwords created?

You can receive a one-time password in many different ways. Some of the most common one-time password delivery methods include SMS, email, authenticator app, and email. Here are some examples, split into physical and digital.

Physical

Some devices can create one-time passwords to help you access your accounts. These include 

  • USB drives and smartcards that can be inserted into your computer, phone, or tablet to verify your identity.
  • Smartphones and banking security devices that can generate their own one-time passwords.
  • Cards or Bluetooth-enabled devices that can also generate one-time passwords as contactless devices.

Digital

Software can also be used to generate one-time passwords:

  • An authenticator app, such as Google Authenticator, can generate 2FA codes to help you access the apps on your phone.
  • A business may send you a one-time password via SMS, push notification, phone call, or email to verify that you’re currently using your device.

What is a one-time password used for?

It’s likely you’ve received a one-time password before. Many websites and businesses use them because they can be more secure than traditional (known as ‘static’) passwords, which are more vulnerable to being leaked in data breaches. Since static passwords are user-generated, there’s also no guarantee that they’re strong. A strong password should use a mixture of special characters and numbers and ideally be randomly generated by a password generator so they’re not easily guessable.

Personal logins

Institutions working with sensitive data, such as banks, healthcare providers, and online retailers, often use one-time passwords to help you log in to each session online. They may use risk-based access, where you will only be prompted to enter a one-time password if you’re trying to perform a specific action: for example, if you’re trying to transfer money from your bank account into an account you’ve never interacted with before. In this instance, verifying your identity will protect both you and the bank.

Professional logins

You may also be required to receive one-time passwords to log into your business tools. Businesses work with sensitive data, which is essential to protect with robust user authentication. Many companies have begun enhancing their online security by enforcing 2FA or MFA. In its Cyber Essentials Starter Kit(new window), the Cybersecurity and Infrastructure Security Agency(new window), the US government agency charged with cybersecurity, recommends enforcing MFA as one of your first actions as a business leader. Requiring workers to authenticate their identities using one-time passwords is an excellent way to protect a business at every level of the workforce.

Can one-time passwords be exploited?

There is no doubt that using an additional method of authentication is safer than just using a static password. However, no method of authentication is 100% secure. 

Passwords sent via SMS and email can be intercepted. By using social engineering, hackers can encourage someone who has received a one-time password to share it. One-time password bots(new window) can intercept passwords before the intended recipient even receives them. Multiple exploits, including SMS phishing (known as smishing(new window)) and SMS pumping,(new window) are available to determined hackers. Sim swapping also allows hackers to gain access to a phone without being anywhere near it.


It’s harder to intercept codes sent from authenticator apps, but it isn’t impossible. In 2020, experts discovered malware installed on Android phones that was able to steal 2FA codes(new window) generated by Google Authenticator.

Staying safe with one-time passwords

Turning on 2FA or MFA is the best way to protect yourself online. A one-time password is an excellent defense when configured properly. The best way to configure your 2FA? With a password manager. A password manager helps you create as many barriers between bad actors and your accounts as possible without requiring you to be a cybersecurity expert

With Proton Pass, you can generate 2FA codes for your accounts using our integrated authenticator. Everything you store in Proton Pass, including codes you generate, is protected by battle-tested end-to-end encryption. That means it’s only available to you. You can also protect your Proton Pass account using a biometric login, increasing your account’s security.    

If you need to send a one-time password to a family member or co-worker, the most secure method is via a secure link. You can limit these links so they can only be accessed a certain number of times and to expire after a chosen amount of time. (It should be noted that you should only share a one-time password if you can verify the identity of the person requesting it – if the request comes via a phone call or an SMS from an unknown sender, take steps to verify their identity.)


You can keep your logins, personal details, and 2FA codes safe in Proton Pass whether you’re using it as an individual or a business. Find out which plan to get started with.

Protect your passwords
Opret en gratis konto

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.