Probably you noticed that a lot of websites and applications start to use some form of Two-Factor Authentication.
In enterprises, this has been used for years to allow the users to securely authenticate for using VPN or web-based published corporate applications.
This relied on ‘Something you know’ and ‘Something you have’.
The Something you Know was typically a password and maybe on top of that a PIN code.
The Something you Have was typically a hardware token that displays a different numeric code every minute, maybe augmented with a computer certificate.
Use in our Applications / WebServices
While having to use a password is a basic requirement to authenticate the user, I think it has a lot of advantages to force the use of a Onetime Password as well.
This not only to authenticate the user , but also to make sure that when your WebService needs to do something, it has an additional check to make sure that this request was asked by the user or application on behalf of the user and is within an appropriate timeframe. (This should protect a bit against somebody capturing your web-request and replaying it)
This can also be used to make sure that when you receive a request back from the WebService, that you have a bit more guarantee that it actually comes from that Webservice.