OTP (one-time passcode)
A single-use numeric or alphanumeric code, usually sent by SMS or generated by an authenticator app, used to verify your identity during login or transactions.
Also known as: one-time password, verification code, TOTP
Last reviewed: 1 June 2026
A one-time passcode (OTP) is a short code — typically 4–8 digits — that is valid for a single authentication event and expires within seconds or minutes. Banks, email providers, and online services use OTPs as a second factor to confirm your identity beyond just a password.
OTPs can be delivered by SMS text, automated voice call, or generated by an authenticator app (TOTP). App-generated OTPs are more secure because they cannot be intercepted by SIM swap or call forwarding; SMS-based OTPs are vulnerable to both.
Fraudsters frequently try to steal OTPs by calling victims and pretending to be a bank, posing as a customer-service agent, or using real-time phishing toolkits that relay OTPs instantly. A legitimate bank or service will never ask you to read an OTP back to them over the phone.