OTP passwords are one-time passwords (the origin of OTP is from English one time password) that are used for one authentication session. Their effect is usually limited by time. You may have received such codes by phone or mail when trying to access online banking or when setting up two-factor authentication using the Google Authenticator app.

Unlike a static password, a one-time password provides greater security — if an attacker even intercepts it, he may not have time to use it. OTP-passwords are created thanks to the algorithm of random numbers, so the fraudster will not be able to guess which sequence will occur next time. And this is also an advantage of OTP passwords.

Of course, the longer the password, on the one hand, it is more difficult for an attacker to pick it up, but also, on the other hand, it is more difficult for an ordinary user to remember and enter the password manually in time. So in this matter, technology comes to the aid of a person. The YubiKey is one of the most effective, so let’s take a look at how it works.

How OTP passwords work with YubiKey

YubiKey 5 and YubiKey FIPS security key series support several OTP protocols, these are:

Yubico OTP — 128-bit password consisting of 44 characters; 12 of them are immutable, they serve as an identifier for the YubiKey device itself. Such a password is almost impossible to forge. Below is an example of such a password, called three times.






  • OATH-HOTP and OATH-TOTP are 6-8 digit one-time passwords that change within 30 seconds. In TOTP codes, the code is generated using a hash HMAC(sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provided as a QR code or pre-programmed into a hardware token. And HOTP codes use an authentication counter instead of a time stamp. So when setting up this feature, it’s important to make sure the timer on the device is set to the correct time.
  • Benefits of using OTP on YubiKey

    • Secrets always remain on YubiKeys. It is impossible to read information from them. And from the phone or computer, in case of hacking and launching of spy software, information can be read.
    • The keys do not require recharging, unlike the phone, which is very often used for two-factor authentication. So even if you forget to recharge, you can access your accounts anywhere using hardware devices.

    OTRs caused by touch on the computer

    If you configure the OTP password function on the YubiKey so that it is triggered by touch, the authorization process will look like this:

    • at the request of the server, you need to insert the key into the USB socket;
    • place the mouse cursor in the text field;
    • touch the golden metal part and the key will automatically transmit the OTP password.

    OTRs caused by touch on a mobile device

    Since the mobile device has an NFC function, the authentication process is a little different – you need to bring the key to the back of the phone, touch the screen where the password should be entered. Also, the key can be connected to a mobile device using the appropriate interface: USB-C or Lightning.

    How to configure OATH-HOTP and OATH-TOTP

    You can configure the one-time password function on the YubiKey in two ways:

    Thanks to an intuitive interface, you can quickly configure the relevant features and use the hardware devices to their fullest extent to increase the security of your accounts and protect against phishing.

    If you don’t know which YubiKey will best suit your needs, we recommend taking a quick test.

Similar materials in the Knowledge Base