On-Demand Password is a tokenless two-factor authentication (2FA) method that eliminates the need for users to carry a physical hardware token or install a software token app. How it works: When a user attempts to access a 2FA-protected application, the authentication server generates a random one-time password and delivers it to the user through a pre-configured communication channel. Supported delivery channels include SMS text message, email, and voice call. Delivery method: SMS is the most commonly used delivery channel for on-demand passwords, as it is considered faster than email and less disruptive than voice calls. On-demand password delivered via SMS is commonly referred to as SMS passcode or SMS OTP. Security considerations: The page explicitly notes that SMS OTP is widely used in consumer-facing applications such as online banking and e-commerce, but acknowledges it is considered the least secure OTP method. Stated security risks include: - SMS messages being sent to an incorrect number - SMS messages being intercepted in transit - SMS messages being stolen from the user's device As a result, the page notes that many organizations are moving toward hardware OTP tokens or software OTP apps as more secure alternatives to SMS-based OTP. Use cases: On-Demand Password is positioned as an accessible entry point to 2FA, suitable for scenarios where token distribution is impractical, though it carries known security trade-offs compared to other authenticator types.