What is One-Time Password (OTP)?
Traditional passwords are static, they are easy to be stolen and vulnerable to replay attacks. A one-time password (OTP) is a dynamic password that is valid for only one login session or transaction. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will be no longer valid.
OTPs are generated by security token devices called OTP tokens. They are often categorized as hardware token versus software token. A hardware token is a dedicated hardware device for generating one-time passwords, and it is made in various form factors, such as key fob, display card, grid card and usb key. A software token is a software app that typically runs on smart phones.
Hardware OTP Token vs. Software OTP App
Both hardware OTP token and software OTP app have their pros and cons. It is difficult to say which is better than the other without putting them in the context and environment.
From the cost point of view, hardware OTP token has a upfront cost for purchase and distribution, whereas software OTP app is commonly free. On the other hand, software OTP app can be expensive to support as apps can be deleted by accident and phones can be lost or damaged etc. On the other hand, hardware OTP token is relatively easy and cheaper to maintain.
From the security point of view, hardware OTP token is more secure as the hardware device is isolated and tamper-proof, whereas software OTP app can be infected by virus or compromised by trojans if the app is not designed and implemented by security specialists in the industry.