The YubiKey OTP generation is made up of the following fields, encrypted with a unique AES-128 bit key. The result is the 32 character modhex string included after the 12 character public ID.
Mnemonic | Byte offset | Size | Description |
uid | | 6 | Private (secret) id |
useCtr | 6 | 2 | Usage counter |
tstp | 8 | 3 | Timestamp |
sessionCtr | 11 | 1 | Session usage counter |
rnd | 12 | 2 | Random number |
Private ID
The private id field comprises 6 bytes copied from the private id field configuration value. This field can be used to store a private identity which can be accessed when the OTP is decrypted in a Yubico OTP validation server holding the AES key used to encrypt the OTP.
The verifying instance should verify this field against the expected value. If an OTP is encrypted with a non-matching AES key, this field will be invalid and the OTP shall in this case be rejected.
Session usage counter
At power up, the session usage counter is initiated to zero. After each new OTP has been generated, this field is incremented by one. If this field wraps from 0xff to 0, the usage counter field is automatically incremented.
Usage counter
The usage counter is a non-volatile counter which value is preserved even when the device is unplugged. The first time the device is used after a power-up or reset, this value is incremented by 1 and the session counter is set to zero.
This field is only 15 bits wide, giving a usable range of 1 – 0x7fff. When this counter reaches 0x7fff it stops there. One could think that this could lead to a YubiKey being practically useless during its lifetime if this occurs. However, considering a YubiKey being used five times a day, 365 days per year, it will take 18 years for the counter to get stuck. Furthermore, as this counter only increment the first time after power up / reset, the practical lifetime is even longer.
If the counter reaches the final value, the device can still be re-configured which would cause the counter to be reset.The field is stored in little-endian format, i.e. the least significant byte being stored first.
Timestamp
The timestamp is a 24-bit field incremented with a rate of approximately 8 Hz. The timestamp value is set to a random value after startup from the internal random number generator.
This field may be used by the verifying party to determine the time elapsed between two subsequent OTPs received during a session.
This field wraps from 0xffffff to 0 without any further action. If used by the verifying party, this condition must be taken into account. Given an 8 Hz rate, the timer will wrap approximately every 24 days. The field is stored in little-endian format, i.e. the least significant byte being stored first.
Random number
A 16-bit random number is picked from the internal random number generator to add some additional entropy to the final result.
Checksum
A 16-bit ISO13239 1st complement checksum is added to the end. The checksum spans all bytes except the checksum itself. The checksum isverified by calculating the checksum of all bytes, including the checksum field. This shall give a fixed residual of 0xf0b8 if the checksum is valid. If the checksum is invalid, the OTP shall be rejected.
The field is stored in little-endian format, i.e. the least significant byte being stored first.
FAQs
A One Time Password or OTP is a security code designed to be used for a single login attempt or transaction, to minimize the risk of fraudulent attempts and maintain high security.
How do OTPs work? ›
OTP authentication works by sending a one-time code comprised of letters and/or numbers to a second MFA source used in addition to a username and password. Common types of OTPs include SMS and voice messages, as well as email verification.
What do OTPs do? ›
The OTP feature prevents some forms of identity theft by making sure that a captured username/password pair cannot be used a second time.
What are OTPs on my phone? ›
A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. An OTP is more secure than a static password, especially a user-created password, which can be weak and reused across multiple accounts.
What is the meaning of OTPs in messages? ›
OTP means One Time Password: it's a temporary, secure PIN-code sent to you via SMS or e-mail that is valid only for one session. Smart-ID uses OTPs during registration and account renewal to confirm your contact information.
Why so many OTPs are coming in my phone? ›
Phishing attempts: In some cases, you might receive bulk OTPs due to phishing attempts. Hackers or scammers may try to gain unauthorized access to your accounts by pretending to be a legitimate service and sending fake OTPs.
Why are OTPs 6 digit? ›
This shows that the 6-digit OTP system provides 120 times higher security than a 4-digit OTP system. The maximum time-out period observed for the 6-digit OTP generation system was 15 minutes i.e. the OTP has to be reset within 15 minutes before it can become susceptible to brute force attack.
What is the purpose of an OTP? ›
A one-time password (OTP) is an identity verification tool for authenticating users logging into an account, network, or system. A user is sent a password containing a unique string of numbers or letters that can only be used once to log in. Used or not, these password codes expire after a short period of time.
What can someone do with my OTP? ›
As OTPs are personal to your email ID or mobile number registered with the service provider, cyber attackers cannot access them without scamming you. They either steal your OTP without your knowledge or scam you into revealing the OTP by using fraudulent tactics.
How secure are OTPs? ›
With that said, OTPs are time-sensitive and will expire after use, whichever comes first. When compared to traditional static passwords, OTPs provide more security because the user will have to be a rightful owner of the receiving platform, in order to obtain the so-called secret code and proceed to verification.
By enabling auto-delete OTPs in the Messages settings, users can ensure that older OTP messages are promptly removed. This reduces inbox clutter and safeguards sensitive information. Here's how you can auto-delete your one-time password when using Android phones: Open Google Messages.
Why am I getting unwanted OTPs? ›
If you happen to receive an OTP which you have not requested, it classifies as an unauthorised OTP. Receiving an unauthorised OTP means that someone is trying to get unauthorised access to your account or conduct a fraudulent transaction. Either way, it is a cause for worry and should not be ignored.
What is an example of a OTP password? ›
The password itself is usually a hash of the current time - e.g. 16.43 becomes 1643, which is then run through a code generator and a mathematical process called a hash function (or hash code) to generate a unique 10-digit code, which is the OTP.
Where are OTPs sent? ›
One-Time Passwords, or OTP codes, are a valuable security measure used by many online services such as Google or Facebook to protect user accounts. OTPs are generated randomly and are often sent to a user's mobile phone or email address in order to authenticate their identity.
Why am I getting a OTP text? ›
Receiving an unprompted one-time passcode (OTP) sent as an email or text should be a cause for concern as it likely means your credentials have been stolen. One of the initial components of a cyberattack is the theft of legitimate credentials to corporate networks and online services.
What does it mean when someone sends you OTP? ›
OTP, which stands for One True Pairing, is a term that signifies a person's favorite fictional romantic relationship.
What happens when someone gets your OTP? ›
OTP fraud involves tricking people into revealing their temporary security codes that enable them to log into their digital accounts with an extra layer of authentication, letting scammers steal money, data, and more. This type of fraud is more challenging to pull off, but tactics are getting more sophisticated.
How do OTP cards work? ›
The card generates a one-time passcode that is used to authenticate the cardholder attempting to access a specific resource or sign a transaction. The PIN pad protects access to the OTP and enables transactions to be signed.
How do time-based one-time passwords work? ›
A Time-Based One-Time Password (TOTP, or OTP) is a string of dynamic digits of code, whose change is based on time. Often, these appear as sic-digit numbers that regenerate every 30 seconds. TOTPs are derived from a secret seed password given at user registration in the form of QR code or in plaintext.
How do OTP tokens work? ›
One-time password (OTP) tokens are secure hardware devices or software programs that can generate one-time passwords. Most commonly, these are personal identification numbers (PIN), numeric codes between 4-12 digits. Smartphones are commonly used to generate or receive one-time passwords.
