In AP Cybersecurity, OTP (one-time password) is a temporary, single-use code that a user provides in addition to their password as a second factor of authentication, making logins much harder for adversaries to break (EK 1.2.C.3).
OTP stands for one-time password, a code that works exactly once and then expires. You've used one if a site ever texted you a six-digit number or made you open an authenticator app. The whole point is that even if someone steals your regular password, they still can't log in without that fresh, short-lived code.
In the AP Cybersecurity CED, OTP shows up as the classic example of an extra factor in multifactor authentication (MFA). EK 1.2.C.3 calls it out directly: when MFA is available, you should enable it, because it makes you prove your identity with something beyond the password, "such as a one-time code." So OTP isn't a standalone security tool you'd memorize on its own. It's the concrete thing that makes MFA more than just a password.
OTP lives in Unit 1: Introduction to Security, specifically Topic 1.2 (Suspicious Website Logins). It supports learning objective AP Cybersecurity 1.2.C, explaining how to make authentication stronger. The CED's logic runs in order: adversaries exploit weak passwords (1.2.B), so you defend with long, random, unique passwords AND multifactor authentication (1.2.C). OTP is the piece that makes that second factor real. Knowing why a one-time code defeats a stolen password is exactly the kind of cause-and-effect reasoning the exam wants from you in this unit.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryMultifactor Authentication / MFA (Unit 1)
MFA is the broad strategy; OTP is the most common way it actually works. When EK 1.2.C.3 says MFA asks for "a one-time code" on top of your password, that code is the OTP. Think of MFA as the rule and OTP as the move that follows it.
Online Password Attack (Unit 1)
OTP is a direct counter to the attacks in EK 1.2.A.1, where adversaries try logging in with stolen or guessed passwords. Even a correct password fails without the live one-time code, so the attacker hits a wall.
Credential Stuffing & Dictionary Attack (Unit 1)
These attacks succeed because a guessed or reused password gets you straight in. OTP breaks that chain. The adversary may have the right password, but the second factor changes every login, so a stolen credential alone is worthless.
Expect OTP to appear inside questions about strengthening authentication, not as its own big topic. A multiple-choice stem might describe a user who turns on a setting that texts them a code at each login and ask you to name the security concept (multifactor authentication, with the OTP as the second factor). You may also see scenario questions asking why a one-time code protects an account even after a password leak. Be ready to explain the cause: the code is single-use and changes, so a stolen password can't be replayed. No released FRQ uses the abbreviation "OTP" verbatim, but the one-time-code idea sits squarely in the kind of authentication-defense reasoning Topic 1.2 rewards.
A regular password is reusable and meant to be remembered; you type the same one every time. An OTP is single-use and disposable, generated fresh for one login and then dead. The password is your first factor, the OTP is the second factor that backs it up. They work together in MFA, they don't replace each other.
OTP means one-time password, a single-use code that expires after you use it once.
OTP is the concrete example of a second factor in multifactor authentication, called out in EK 1.2.C.3.
Even if an adversary steals your password, they can't log in without the live one-time code, which is why OTP defeats online password attacks.
OTP lives in Unit 1, Topic 1.2, and supports learning objective AP Cybersecurity 1.2.C on strengthening authentication.
OTP is a second factor, not a replacement for a strong password; you still need a long, random, unique password underneath it.
An OTP (one-time password) is a temporary code that works for a single login and then expires. In AP Cybersecurity it's the second factor in multifactor authentication, the extra proof of identity you give on top of your regular password (EK 1.2.C.3).
No. MFA is the overall strategy of requiring more than one type of proof, and an OTP is one common way to deliver that second proof. The CED says MFA asks for extra proof "such as a one-time code," so the OTP is a tool that makes MFA work, not the strategy itself.
A regular password is reusable and meant to be remembered, while an OTP is single-use and changes every login. The password is your first factor and the OTP is the second factor, so they layer together rather than compete.
Yes, basically. Because the one-time code is generated fresh and expires, an attacker who has your password still can't get in without the current code. That's exactly why EK 1.2.C.3 recommends enabling MFA with a one-time code.
It can show up. OTP belongs to Unit 1, Topic 1.2 and supports objective 1.2.C, so expect it inside questions about stronger authentication and MFA rather than as its own standalone topic.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.