One-Time Password
One-Time Password.
A short numeric or alphanumeric code valid for a single authentication event, delivered out-of-band (SMS, email, authenticator app) or computed from a shared secret.
OTP is not the same as MFA or 2FA. OTP is one factor (something you have — the device or account that received the code); MFA is two or more factors combined. "I sent you an OTP" describes a single factor; "I sent you an OTP after you typed your password" describes 2FA.
The recurring mistake is treating SMS OTP as a sufficient second factor in 2026. NIST SP 800-63B-4 (2024) and OCR enforcement guidance both signal that SMS is below the AAL2 bar. The migration path is TOTP via authenticator app, push notification with number matching, or passkeys (FIDO2). The "but our users only have a phone" objection is real but solvable — TOTP authenticator apps run on every smartphone.
Common questions
What is the difference between OTP and TOTP?
Is SMS OTP still considered secure in 2026?
Is OTP the same as 2FA?
Related terms
In the guides
Magic Links vs OTP: Picking the Passwordless Fallback
Magic links and OTP (email, SMS) are the two common passwordless fallbacks. A practical comparison: deliverability, security, UX, and when each is the right choice.
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Deprecating SMS OTP in 2026: Why, When, and How
NIST SP 800-63-4 places SMS OTP outside AAL2. The 2026 question is how to migrate the install base off SMS, what to replace it with, in what order, and the patterns that work.
TOTP vs SMS OTP: And Why One Is Being Deprecated
TOTP and SMS OTP look identical to the user — a six-digit code — but the security models differ sharply. NIST removed SMS from AAL2 in 2024; TOTP remains acceptable. Migration matters.