Hem Knowledge Base PKI or OTP authentication, a comparison
Knowledge Base

PKI or OTP authentication - a comparison


Two factor authentication

Two factor authentication is nowadays a very commonly used method to authenticate a user. There are a number of different solutions within this area. Of course, they differ. The variations in terms of security between all the variants of two factor authentication are what differentiating them most of all. To clarify one example of a major difference in security, a comparison of OTP (One Time Password) and PKI (Public Key Infrastructure) is made below.

One Time Password

The name is a clear and obvious hint of what it is all about. A one time password is valid for authentication only once. Methods to create OTPs differ as well as the ways they are synchronized or programmed to match their host system to which login shall be authorized.

Code cards

One type of OTPs still used are code cards. Those are preset codes to a specific account with which you in combination of one or two other logon credentials can authenticate to a system. Security wise it is a weak alternative as they easily can be replicated, lost and most often hard to keep track of. Thus, it happens they are used for an extra authentication whilst already logged in and authenticated to a system. For example, the bank can require you to confirm a specific money transfer or a payment by typing the next code in line of your code card. By doing this, you confirm to be able to do this additional transaction that is protected with an extra step of authentication in this way.

Security code boxes

There are hardware devices that are synchronized with the server running your desired service. Again a bank as a good example. Often they use PIN-protected security code boxes to authenticate to their internet system. Those boxes are of course strictly personal, set to match your personal identification number pre-registered in the bank system (or tax registration number depending on country). As they are protected with a user chosen personal PIN-code they offer a substantial higher level of security than most of OTP-solutions available. In line with codes from code cards, security code boxes can be used in an Internet bank to acknowledge a specific payment or an additional function. This while you already are logged in to the Internet bank using certificate based login.

However, one security code box does only allow you to authenticate to one particular website, such as an Internet bank. Then, if you are customer to several banks also using security code boxes, you will end up with a whole bunch of such boxes.

Email and SMS

What happens most often when creating an account on a social network platform, or signing in to a new mobile phone application, is that you will have to generate a one time password as one step in the validation creating your account. To receive these OTPs you will sometimes have to use your mobile phone number or your email address.

This would indeed indicate a severe security problem. A validation can not be done to ensure it is you that are in control of the phone of the given mobile phone number to receive the SMS with the one time password or the email address stated. Meaning anyone can use your logon credentials along with their own email address or mobile phone number to create enough details for an authentication pretending they are you. As well, SMS sent with OTPs can be intercepted.

However, this is not the case when generating a one time password for a website you repeatedly sign on to. The mobile phone of yours, and the receiving server, share a counter mechanism that is obliged to be in synch with each other. On your local mobile phone it is often solved using a specific authenticator application. The counters of your phone application and the server are compared and incremented equally. On the server side a password is generated using various kinds of proprietary algorithms that generate an unpredictable password that your local application on the mobile phone is able to decrypt.

Various authenticator applications on your mobile phone can also use time based one time passwords to authenticate to a web application. The receiving server and your phone need to rely on they share the same time and must not diverge too much.


Security code boxes, as mentioned above, are as QR-codes often used in combination with some other strong authentication mechanism, for example authentication methods that are based on certificates. In such case, a QR-code define combined with a two factor authentication method what is basically a "three factor authentication method". The QR-code embeds a key value that is shared with the authenticator application on the mobile device used.

Two factor authentication using Public Key Infrastructure

In PKI a key pair, one private key and one public key (public key stored in the certificate) will be used to authenticate the user to a system that is configured to trust the issuer of the user certificate. The private key can only be used for authentication after entering a PIN-code. The owner of the certificate/keys must keep the PIN-code a secret.

Issuance of a PKI-certificate to a user is set to follow a strict predefined process, in some cases as strict as issuing a passport or any other type of personal identification, physical in terms of an identification card or an electronic identification ditto. If lost or misused, there are likewise strict and powerful processes to revoke the certificate. In accordance, and to compare with, it must likewise a credit card, be possible to always and immediately being blocked in a secure way.

The PKI-certificate supports the creation of electronic signatures. OTPs do not. For all of the PKI purposes to identify someone, the combination of the public and the PIN-code protected personal secret key authorizes the owner really being the owner. In comparison to OTP, the process of identification can not be compromised at all leaving a smaller surface for hacking, interception, breaching or faking the identity. 

PKI supports and is two factor authentication. The certificate of each and every owner, or user, can be implemented on several types of bearer devices. Hardware tokens like USB sticks, YubiKeys and a smart card which maybe is the most commonly used device bearing a PKI certificate. Authenticating to your corporate network, the smart card is attached to a card reader asking the user for the PIN-code, and the certificate is checked to a certain list for validity control (CRL - Certificate Revocation List).

By far, PKI is a technology superior to OTP in terms of security. This superiority reflects as well its' vast field of use cases. This is another story, however can be read about in the SecMaker blogs, for example "FIDO vs PKI, the blog" published on the SecMaker website.

The SecMaker Live iD is a service that offers two factor authentication using Public Key Infrastructure technology. It is based upon the complete range of products offered by SecMaker.

Comparison conclusion

As mentioned above, it is obvious that PKI is subject to a more strict and thorough view of identity management leaving no doubt it is more secure compared to OTPs. Thus, the process of authenticating using OTPs is more likely to be faster than using PKI. And it is a choice. For example, register oneself as a user on a social network should in many cases be object to a more strict identification process than often today implemented typically using OTP. The personal details displayed on a social network is personal information of value that can be misused and exploited by criminals. But then, the opening of your social network account is slowed down compared to using OTP for its' registration process. That means, OTPs can be suitable and enough as validation method for those purposes not risking details of value to be displayed for hackers, hence also quicker.


Contact us

Do you have more questions? Don't hesitate to ask our experts.