Your best friend for file transfer.

Fetch application logoFetch
Fetch Icon Fetch Help > Concepts > One-Time Password

One-Time Password (OTP) is an Internet standard challenge-response password system. Fetch automatically supports the OTP system, so usually you do not have to do anything special if your server uses OTP.

Servers running OTP software respond to the USER command with special challenge information that is used only once. The FTP client must respond with a password based on the user's secret password and the challenge information. Since the challenge information is never reused, the password that the client sends back changes with each session. That makes it impossible for a wiretapper to collect a password that could then be used to access the account.

When Fetch detects an OTP challenge, it automatically computes the one-time password, based on the secret password entered by the user. This is more convenient than using a separate program to perform the calculation. However, because the process is automatic, it carries a subtle security risk. If the server for some reason does not issue the OTP challenge, Fetch will send the secret password over the network instead of the response derived from the secret password. To be warned in this case, check the Warn before sending password insecurely box in the Security preferences pane.

If, for some reason, you need to compute the response yourself, enter "***CHALLENGE***" as your secret password in the password field. Fetch will show you the server's challenge and prompt you for a response.

OTP is only supported in FTP connections (and possibly FTP with TLS/SSL connections), not in SFTP connections.

OTP is based on the older S/Key system developed by Bellcore, which Fetch continues to support.

For more information about security in Fetch, see the Security help topic.

For more about the One-Time Password system, see RFC 2289: A One-Time Password System.