Why OTPs Shouldn't Be Part of a Passwordless Strategy

Passwordless authentication has been gaining traction, but not always for the right reasons. 

Passwords are clearly failing. They’re reused constantly, stolen more frequently, and increasingly ineffective as a security mechanism. At the same time, attempts to “fix” passwords by making them more complex have degraded the user experience.

Security and user experience are two of the top priorities for any digital company, and they’re often in direct conflict. That tension is what has driven interest in passwordless authentication, with the promise of offering stronger security and a better user experience at the same time.

The problem is that not everything labeled “passwordless” actually delivers on that promise.

What is passwordless authentication?

Passwordless authentication verifies a user’s identity using a method that does not require a password.

It’s a broad definition, which is why it’s important to distinguish between the different approaches that fall under the passwordless umbrella. Some methods are more secure. Others prioritize user experience. And some are commonly misclassified altogether.

One method that is often labeled as passwordless—but shouldn’t be—is the one-time password (OTP).

Why OTPs aren't really passwordless

A one-time password is valid for a single session and usually expires after a few minutes. But by definition, it’s still a password.

The only real difference is that users don’t have to remember or store it. Instead, they receive it through a channel like email or SMS. That convenience, however, doesn’t solve the underlying security issues.

While OTPs are dynamic and change frequently, making them an improvement over static credentials, they can still be easily phished or intercepted.

SMS can be intercepted at scale, phone numbers can be compromised through SIM swap attacks, and social engineering continues to be highly effective. Fraudsters regularly trick users into sharing OTPs by posing as customer support or trusted services.

Beyond security, OTPs also introduce significant friction. In many cases, they add more friction than traditional passwords. That friction leads to higher drop-off rates and lower retention, directly impacting the user experience.

What are the authentication alternatives to OTP?

Finding a good alternative to OTP isn't easy, but there has been meaningful innovation in the security space in recent years.

One example is device intelligence, which can recognize devices based on unique attributes and determine whether they should be trusted. Most apps and websites already rely on some form of this technology.

As mobile has become the dominant digital channel, location intelligence has also emerged as a powerful signal.

According to Incognia's data, 90% of legitimate logins and 95% of legitimate high-risk transactions occurred from trusted locations—places that are part of a user’s routine, such as home, work, or frequently visited locations.

Layered security works better than single solutions

There is no silver bullet in security. The most effective approach is layered.

Ideally, apps rely on passive authentication for low-risk scenarios and introduce the friction of multi-factor authentication only when higher risk is detected. This allows companies to provide a frictionless experience for the vast majority of legitimate users while still keeping fraudsters out.

OTPs should not be treated as a passwordless solution

OTPs are a type of password, and not a particularly strong one. They fall short both in terms of security and user experience.

Companies looking to adopt passwordless authentication to improve security and reduce friction should look beyond OTPs and invest in solutions that are genuinely passwordless and better aligned with modern threat models.