What am I?
To do any transaction online, you need a username and password or Internet personal identification number (PIN). However, in order to step up security, some banks will ask you for an additional password or PIN that is valid for just one transaction. That’s me—the one-time PIN or one-time password (OTP). At present in India, some banks such as Citibank, Axis Bank and HSBC offer this facility.
How am I generated and sent?
Generation: An OTP is usually generated by a device or an algorithm. It is based on randomness. Randomness means that there is no link or connection between the series of passwords generated. Randomness is especially important to ensure that a hacker is not able to predict what the next password would be by studying all the previous ones generated for the user.
Sending channel: An OTP is an out of band authentication. This means that it helps to establish the identity of the user through a channel other than the one through which the primary verification is done. For instance, for an Internet transaction the out of band authentication could be done via mobile and for a mobile transaction it could be done through a digital token.
How do you use me?
Different institutions have different systems in place. The more common channel as of now is via SMS. So if you are a net banking customer, then it is advisable to update your contact details regularly. When you log into your net banking account and initiate a transaction, your bank may, depending on the nature of the transaction, necessitate you to use the additional OTP. This is then SMSed to the mobile number linked to your account. The validity of the password varies between 3-30 minutes depending on the type of account you hold, the nature of the transaction initiated and the region you are based in.
Some banks use digital tokens. A digital token is a security device in the form of a small numeric display unit that keeps generating a numeric code every few minutes. If you log on to your net banking account for any transaction, then once you enter your username and password, you will be asked to key in the code displayed by the security device at that point.
Why and when should you use me?
I am especially important when you are doing high-risk transactions. These include any transaction where money is flowing out from your account to a third party such as transfer of funds. It is also important if you are changing any of your profile information, such as contact details, as information could fall in the wrong hands.
Hence the biggest advantage of using me is safeguarding your account. If a hacker uncovers your login ID and password, he still can’t hack into you account without me. I am difficult to guess and am valid for a very limited time span, so the hacker will not be able to crack me easily.