---
title: "One-Time Password — AP Cybersecurity Definition & Exam Guide"
description: "A one-time password (OTP) is a temporary code used once during login, often as an MFA factor, to block attackers who steal or guess your regular password."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/one-time-password"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 1"
---

# One-Time Password — AP Cybersecurity Definition & Exam Guide

## Definition

A one-time password (OTP) is a temporary code that's valid for a single login (or a short time window) and is used as an extra proof of identity alongside your regular password, making it a common form of multifactor authentication.

## What It Is

A one-time password (OTP) is exactly what it sounds like: a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") you use once and then it's gone. Instead of typing the same static password every time, you get a short code (often 6 digits) that's only good for one login or a brief window, like 30 seconds. After that, it's dead.

The whole point is that even if an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") steals or guesses your regular password, they still can't get in without that fresh code. The CED describes this in EK 1.2.C.3: when you enable [multifactor authentication](/ap-cybersecurity/key-terms/multifactor-authentication "fv-autolink") (MFA), the system asks for "extra proof of identity, such as a one-time code," on top of your password. That one-time code is the OTP. It might arrive by text, show up in an authenticator app, or be generated by a hardware token. Because it changes constantly and expires fast, a stolen password alone isn't enough to break in.

## Why It Matters

OTPs live in [Unit 1](/ap-cybersecurity/unit-1 "fv-autolink"): Introduction to Security, specifically Topic 1.2, Suspicious Website Logins. They're the concrete payoff of learning objective [AP Cybersecurity](/ap-cybersecurity "fv-autolink") 1.2.C, which asks you to explain how to make authentication stronger. EK 1.2.C.3 names the one-time code as the classic MFA factor that adds a second layer beyond the password. So the OTP isn't a side detail. It's the answer to the question "the password got compromised, now what?" Knowing why OTPs work ties together everything in 1.2 about weak authentication and password attacks.

## Connections

### Multifactor Authentication / MFA (Unit 1)

MFA is the strategy, and the OTP is the most common tool that makes it happen. MFA means proving who you are with more than one type of [factor](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink"), and the one-time code is usually the second factor stacked on top of your password.

### [Online Password Attack (Unit 1)](/ap-cybersecurity/key-terms/online-password-attack)

In an [online password attack](/ap-cybersecurity/key-terms/online-password-attack "fv-autolink") (EK 1.2.A.1), adversaries try logging in with common or stolen passwords. An OTP shuts this down because guessing or stealing the password gets them nothing without the fresh code they can't predict.

### Brute Force and Dictionary Attacks (Unit 1)

These attacks automate password guessing, including dictionaries built from your personal info (EK 1.2.B.2). An OTP defeats them by adding a second factor that can't be brute-forced from a wordlist, so the attacker's whole strategy collapses.

### Authentication Logs (Unit 1)

[Authentication logs](/ap-cybersecurity/unit-4/detecting-attacks-on-devices/study-guide/JpiXN2cti74uJERazuw3 "fv-autolink") reveal the signs of an attack from EK 1.2.A.2, like many failed logins or attempts from unknown devices. When OTP-based MFA is on, those failed attempts stay failed, because the attacker never clears the second factor.

## On the AP Exam

Expect OTPs to show up in Unit 1 questions about strengthening authentication. A multiple-choice stem might describe a stolen password scenario and ask which control would still protect the account, where the answer points to MFA using a one-time code. You should be able to explain WHY an OTP helps, not just name it: because it expires fast and changes every time, a stolen or guessed password is useless on its own. No released FRQ has used this term verbatim, but it fits perfectly into any response asking you to recommend stronger authentication or explain how to defend against online password attacks.

## one-time password vs regular (static) password

A regular password is something you set once and reuse for every login, so if it leaks, the account is exposed until you change it. A one-time password is generated fresh, valid for a single use or a short window, and then worthless. The OTP doesn't replace your password; it adds a second factor on top of it.

## Key Takeaways

- A one-time password (OTP) is a temporary code that works for only one login or a short time window, then expires.
- The OTP is the classic second factor in multifactor authentication, named in EK 1.2.C.3 as the "one-time code" added on top of your password.
- Because it constantly changes and expires fast, an OTP protects you even when an adversary has stolen or guessed your regular password.
- OTPs directly counter online password attacks, brute force, and dictionary attacks, since cracking the password alone no longer gets the attacker in.
- On the exam, be ready to explain WHY OTPs strengthen authentication, not just identify that they do.

## FAQs

### What is a one-time password in AP Cybersecurity?

It's a temporary code valid for a single login or short time window, used as a second factor in multifactor authentication. The CED references it in EK 1.2.C.3 as the "one-time code" that adds an extra layer of identity proof beyond your password.

### Does an OTP replace my regular password?

No. An OTP is added on top of your password as a second factor, not instead of it. That stacking is the whole idea of multifactor authentication: you need both the password AND the fresh code to get in.

### How is a one-time password different from a regular password?

A regular password is static, so you reuse it every time and it stays valid until you change it. A one-time password is generated fresh, used once, and then expires, which is why a stolen OTP is far less dangerous than a stolen static password.

### Why does an OTP protect against password attacks?

Online password attacks, brute force, and dictionary attacks all target your password. Even if an attacker guesses or steals it, they still can't produce the constantly changing OTP, so the second factor blocks them.

### Is the one-time password the same as MFA?

Not quite. MFA is the broader strategy of requiring more than one type of identity proof, and the OTP is the most common tool used to deliver that second factor. Think of MFA as the goal and the OTP as one way to reach it.

## Related Study Guides

- [1.2 Suspicious Website Logins](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/one-time-password#resource","name":"One-Time Password — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/one-time-password","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/one-time-password#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:29.979Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/one-time-password#term","name":"one-time password","description":"A one-time password (OTP) is a temporary code that's valid for a single login (or a short time window) and is used as an extra proof of identity alongside your regular password, making it a common form of multifactor authentication.","url":"https://fiveable.me/ap-cybersecurity/key-terms/one-time-password","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a one-time password in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a temporary code valid for a single login or short time window, used as a second factor in multifactor authentication. The CED references it in EK 1.2.C.3 as the \"one-time code\" that adds an extra layer of identity proof beyond your password."}},{"@type":"Question","name":"Does an OTP replace my regular password?","acceptedAnswer":{"@type":"Answer","text":"No. An OTP is added on top of your password as a second factor, not instead of it. That stacking is the whole idea of multifactor authentication: you need both the password AND the fresh code to get in."}},{"@type":"Question","name":"How is a one-time password different from a regular password?","acceptedAnswer":{"@type":"Answer","text":"A regular password is static, so you reuse it every time and it stays valid until you change it. A one-time password is generated fresh, used once, and then expires, which is why a stolen OTP is far less dangerous than a stolen static password."}},{"@type":"Question","name":"Why does an OTP protect against password attacks?","acceptedAnswer":{"@type":"Answer","text":"Online password attacks, brute force, and dictionary attacks all target your password. Even if an attacker guesses or steals it, they still can't produce the constantly changing OTP, so the second factor blocks them."}},{"@type":"Question","name":"Is the one-time password the same as MFA?","acceptedAnswer":{"@type":"Answer","text":"Not quite. MFA is the broader strategy of requiring more than one type of identity proof, and the OTP is the most common tool used to deliver that second factor. Think of MFA as the goal and the OTP as one way to reach it."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 1","item":"https://fiveable.me/ap-cybersecurity/unit-1"},{"@type":"ListItem","position":4,"name":"one-time password"}]}]}
```
