March 1, 2023

    Understanding One-Time Password (OTP) Authentication Options

    Over the last few weeks, we have focused on authentication progressing through an overview of Multi-Factor Authentication (MFA), the most used type of MFA – one-time password (OTP), and today we will review some of the most common delivery methods for OTPs (One-time passwords).

    Regardless of which One-Time Password (OTP) authentication method you use, choosing an OTP generator like an authenticator app or key fob is a safer way to use MFA/OTP than, say, SMS texting. Cyber criminals have found ways to intercept SMS codes, whether it’s SIM card fraud, accessing an iCloud or Google account tied to your messaging, or by sending you an infected link allowing them to take control of your phone remotely and view your messages directly on your device. While SMS-based MFA might be better than no MFA at all, it is a lot less secure than using a hardware/physical key code generator like a key fob (which we reviewed in our last blog) or having an authenticator app on your mobile device.

    Hardware/Physical Key

    Hardware, or a physical key, is something you can hold. These devices generate OTPs based on a cryptographic key stored inside. The same cryptographic key is also held by a server. These devices synchronize with one another using a secret key/seed value allowing them to generate the same OTP and verify the value entered by the user matches that of the server.

    The user interfaces (UIs) for hardware/physical keys can vary. For example, a device with a keypad that requires a PIN to be entered by the user before the OTP is displayed, a physical token that presents a one-time password with a time step on a built-in screen, or a device (sometimes called a dongle) inserted into the USB port of a computer to access information. Hardware/physical keys are considered one of the most secure methods of MFA.



    • They are high maintenance and require staff to handle deployment, replacement costs, and support questions.
    • Hardware tokens are small and can be lost/stolen more easily. If a hard token falls into the wrong hands this can lead to a larger security issue for your organization.
    • Since most users have a single hard token that allows them access to multiple systems, a missing hardware token could keep them from performing job functions until a replacement is provided.


    SMS/Text OTP requires a mobile device, or a device where you can access your text message (this could be a laptop with your text messages accessible through the cloud. Once a user enters their username and password, an SMS message is automatically sent to their phone number with a unique authentication code. The user will input the code to verify the authorization, and only then is access granted.

    Most people are comfortable with having an authentication code sent to them via SMS now-a-days because our banks, streaming services, and shopping accounts like Amazon use SMS verification. This means there is no learning curve for most. Hence, SMS is one of the most popular methods for receiving an MFA code.



    • SMS codes can be intercepted by cyber criminals through various methods like SIM swapping, spy apps, and trojan horse links.
    • Requires a reliable cell phone signal and battery life.
    • May result in occasional SMS delivery failures which might affect an employee’s ability to complete job functions, and might create frustration.
    • Although rare, these 3rd Party Messaging providers often incur a per text charge, and if an employee is receiving the text messages while out of the country, the international charge could be significant depending on where they are in the world.

    SMS authentication is not without its flaws, but it is one of the more popular solutions for a few reasons: it’s affordable, works most of the time and is easy to implement.


    Email OTP follows the same process as SMS/text authentication, but the code is sent to an email address instead of a phone number. It’s widely considered the least secure form OTP because an email address is not tied to a specific device like a phone number or hard token.



    • A password can usually be reset from an email account making it far less secure than other OTP methods.
    • An internet connection is required to access email, and if the connection is unavailable, then code cannot be received and used.
    • Email accounts are the biggest target of bad actors and over 90% of cyberattacks infiltrate an organization via email.

    Email OTP makes it easy to compromise many accounts at once when an email address has been compromised. Additionally, because this form of OTP does not require a secure internet connection, and since email systems are the main target of bad actors, we would recommend using a different form of OTP that is not based solely on email access.


    OTPs are generated and accessible directly on a user’s device such as a smartphone like Duo Authenticator, Okta Authenticator, 2FA (2 Factor Authentication), Google Authenticator, or Microsoft Authenticator. These OTPs are not transmitted to the device through networks like the Internet or the Global System for Mobile Communications (GSM). Today, smartphones are used in many of our everyday business operations. This makes using a mobile authenticator app a quite simple and easy solution.



    Integrating OTPs using a mobile authentication delivery method is not easy. DevOps must delegate resources to develop and manage these authentication apps, and your users must adopt a new process which could cause headaches for systems administrators. However, authentication applications are considered best practice for MFA to protect sensitive data.

    Are Your Files Being Transferred Securely?

    Each of the methods described in this blog are more secure than utilizing only a username and password. There are unique advantages and drawbacks to each OTP delivery method, and we would recommend some more than others. While security is the primary consideration when choosing an OTP delivery method, the user experience and overall implementation costs should also be evaluated. There are also other essential control features to consider for secure file sharing.

    Sharetru offers various authentication methods and security features to fit your business needs. We offer flexibility like having different methods of OTP for different users. Sharetru provides your organization with the tools to build a strong file transfer authentication policy. Our platform is designed with security and compliance in mind for businesses of all sizes. Learn more about our different plans and features such as MFA, unlimited users, dedicated servers, automation rules, activity logs, consistent security controls, SSO integration, and more.

    Brendon Ainsworth

    Brendon, Sharetru's CRO & VP of Sales, brings diverse industry experience, excelling in GCP & AWS infrastructure certifications.

    Other posts you might be interested in

    View All Posts