OTP
Definition
OTP (One-Time Password) — Meaning, Definition & Full Explanation
An OTP, or One-Time Password, is a randomly generated numeric or alphanumeric code sent to a user's registered mobile number or email for a single transaction or login session. It expires within seconds to minutes and cannot be reused, making it far more secure than static passwords. OTPs are the primary authentication method for digital banking in India and are mandated by the Reserve Bank of India (RBI) for all online financial transactions.
What is OTP?
An OTP is a temporary security code generated by your bank's system or a third-party authentication provider during a specific banking action—such as logging into net banking, authorizing a fund transfer, or confirming a payment. The code is typically valid for 5–10 minutes and can be used only once. After expiry or use, the OTP becomes invalid.
The term "one-time" is critical: unlike your username or password, which remain constant across sessions, an OTP is unique to that single moment. This dynamic nature eliminates the risk of credential theft through phishing, keylogging, or database breaches. Even if someone intercepts or guesses an OTP, it cannot be reused once the transaction is complete or the timer expires.
Free • Daily Updates
Get 1 Banking Term Every Day on Telegram
Daily vocab cards, RBI policy updates & JAIIB/CAIIB exam tips — trusted by bankers and exam aspirants across India.
OTPs come in two forms: SMS-based (sent via SMS) and app-based (generated via authenticator apps like Google Authenticator). For Indian banks, SMS-based OTPs remain the most common because they do not require smartphone access, making them inclusive for users with basic mobile phones. The OTP is typically a 6-digit code, though some banks use 4 or 8 digits.
How OTP Works
Step 1: Initiation — You initiate a sensitive banking action, such as logging into mobile banking or authorizing a ₹50,000 fund transfer.
Step 2: Generation — The bank's server generates a unique, random code and timestamps it. The code is encrypted and stored temporarily in the system's memory.
Step 3: Delivery — The OTP is sent to your pre-registered mobile number (for SMS OTP) or displayed in your authenticator app (for app-based OTP). You receive it instantly.
Step 4: Entry — You receive the OTP and enter it in the banking interface within the validity window (usually 5–10 minutes).
Step 5: Verification — The bank's server verifies that the entered OTP matches the stored code, that it has not expired, and that it matches the session initiator's identity.
Step 6: Authorization — If verification succeeds, the transaction is approved. If the OTP is wrong or expired, the transaction is blocked and you must request a new OTP.
OTP Variants in Indian Banking:
- SMS OTP: Sent via SMS to the registered mobile number. No internet required. Most banks offer this.
- App-based OTP: Generated by authenticator apps. More secure but requires a smartphone.
- Hardware token OTP: Generated by a physical device (less common in retail banking, used mainly in corporate banking).
- Push notification OTP: Approved via a notification on your bank's mobile app (increasingly common).
OTP in Indian Banking
The RBI has made OTP mandatory for all customer-initiated online transactions since 2009 under the "Master Circular on Banking Regulation Act, 1949 – Miscellaneous Directions." All Scheduled Commercial Banks, including SBI, HDFC Bank, ICICI Bank, and Axis Bank, must implement OTP for:
- Login to net banking and mobile banking
- Fund transfers via NEFT, RTGS, and IMPS
- Debit card transactions above ₹5,000 (Chip & PIN enabled cards exempt if used offline)
- Payment gateway transactions
- Loans and credit applications
The RBI also mandates that banks send OTPs through SMS or push notifications, with a validity period not exceeding 10 minutes. Banks are required to not store OTPs in plaintext; they must be encrypted. The NPCI (National Payments Corporation of India) has further standardized OTP requirements for UPI (Unified Payments Interface) transactions, where a 6-digit OTP is standard for high-value transfers.
Under India's Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023, banks are responsible for protecting OTP data from unauthorized access. Customers are advised never to share their OTP with anyone, including bank staff. This is a frequent exam topic in JAIIB and CAIIB syllabuses under customer protection and digital banking security modules.
Practical Example
Priya, a software engineer in Bangalore, wants to transfer ₹75,000 to her brother's account using ICICI Bank's net banking platform at 2:30 PM. She logs into her account, enters her username and password, and initiates the transfer. ICICI Bank's system immediately sends a 6-digit OTP (e.g., 547329) to her registered mobile number. Priya receives the SMS within 10 seconds and enters the OTP on the confirmation screen. The bank verifies the OTP matches the request, confirms her identity, and processes the transfer within seconds. If Priya had entered the wrong OTP or waited 10 minutes without entering it, the transfer would have been blocked and she would need to request a new OTP. This two-factor authentication (her password + OTP) ensures that only Priya can authorize the transaction, even if someone had stolen her password.
OTP vs Password
| Aspect | OTP | Password |
|---|---|---|
| Validity | Single use; expires in 5–10 minutes | Permanent until user changes it |
| Generation | Auto-generated by system; unique each time | User-created; static across sessions |
| Security | High; cannot be reused or predicted | Lower; vulnerable to phishing, weak choices, reuse |
| Delivery | SMS, email, or app notification | Memorized or stored locally by user |
The key difference is permanence. A password is fixed and reusable, making it vulnerable to compromise through data breaches or social engineering. An OTP is temporary and unique, meaning even if intercepted, it cannot be exploited beyond the current session. In Indian banking, both are required together: the password grants access to your account, but the OTP confirms that you are making a specific transaction.
Key Takeaways
- OTP is mandatory: The RBI requires all Indian banks to use OTP for online transactions since 2009, covering net banking, mobile banking, and payment gateways.
- Standard validity: OTPs in Indian banking are valid for a maximum of 10 minutes and cannot be reused.
- Typically 6 digits: Most Indian banks use a 6-digit OTP, though some use 4 or 8 digits.
- SMS is most common: While app-based OTPs exist, SMS-based OTPs remain the standard in India because they don't require smartphones.
- Never share your OTP: Banks and RBI explicitly warn that sharing an OTP with anyone—including bank staff—leads to unauthorized transactions and account theft.
- Prevents unauthorized access: OTP adds a second layer of authentication (two-factor authentication) beyond passwords, making it nearly impossible for fraudsters to complete transactions without your knowledge.
- NPCI standards apply to UPI: OTP requirements for UPI transfers are standardized by NPCI to ensure consistency across all UPI providers.
- Exam-relevant topic: OTP security and customer protection are regularly tested in JAIIB and CAIIB examinations under digital banking and regulatory compliance modules.
Frequently Asked Questions
Q: What should I do if I don't receive an OTP?
A: Check that your mobile number is registered with your bank and that you have network connectivity. Wait 30 seconds; SMS can be delayed. If it still doesn't arrive, request a resend or contact your bank's customer support. Some banks offer email-based or app-based OTP as alternatives if SMS fails repeatedly.
Q: Is it safe to receive OTP via SMS in India?
A: Yes. While app-based OTPs are slightly more secure, SMS OTPs are the RBI-approved standard and are secure if you follow basic hygiene: never share the OTP, do not respond to unsolicited messages claiming to be from your bank, and ignore callers asking for your OTP. Banks never ask for OTPs via phone calls.
Q: Can I use the same OTP twice for two different transactions?
A: No. Each OTP is linked to one transaction and one session. Once used, it expires permanently. If you attempt a second transaction, you must request and enter a new OTP. This is a core security feature that prevents fraudulent reuse.