The terms two-factor authentication and one-time password are often used synonymously, even by industry leaders. This is actually wrong. There are differences, but also dependencies between the two terms.
A two-factor authentication, as the name suggests, requires a second factor in addition to the classic primary password key. Strictly speaking, even a login with username and two different passwords would be two-factor authentication; even though this would not add any security value.
Often, so-called one-time passwords are used as a second factor.
These are either taken from a list or generated by a generator. In any case, with these OTPs it must be ensured that server and client (system and user) always know synchronously which OTP is currently valid.
Back to topic: two-factor authentication often uses one-time passwords as a second factor, but OTPs can also be used beyond two-factor authentication as an autonomous security mechanism.
The payment service provider “Klarna”, for example, completely waives asking for the classic password and storing it. Instead, every time a known user logs in, the delivery of a one-time password to the user via SMS is triggered.
This approach is actually quite clever, as it minimizes the risks involved in storing a password with the web service provider. In the event of a security breach, attackers could not capture sensitive login data.
An additional security risk does not arise from the exclusive OTP login. On the contrary, the elimination of the “password reset functions” closes a potential attack vector, since this function is simply obsolete.