OTP technique is a very common in use among banks all over the world, when a customer of a bank wants to log in to his/hers online account through a web browser. OTP adds a little more security to the system, in expense of user friendliness and configuration issues. OTP is immune against password sniffing attacks, if an attacker use software to collect your data traffic, video records you when you type on your keyboard, or use social engineering, it doesn't matter since the password that the attacker gets hold on will not be valid to use. However, OTP cannot protect against two common attacks: Man-in middle attack and Trojan attack.

I agree with these considerations. This topic has been discussed in the Panel of the Conference SECURWARE2015. Considering the IoT scenario, OTP can be one of the possible methods for security to adopt in IoT, and i think is the best implementation of the key point A.9 (Access Control) of ISO 27001. It allows to have a new code for each login/transaction, and so also the risk of Man in the middle attack and Trojan attack can be considered generally very low thanks to the expiration of the code. The only risk is connected to the possibility to the theft of the seed necessary for the OTP code generation (e.g. see Cain&Abel RSA SecureID Token Calculation). As attached you can see the Slides of the Panel of the Conference SECURWARE2015 and the link to the section of Cain.

http://www.oxid.it/ca_um/topics/rsa_securid_token_calculator.htm

Conference Paper Panel - ISO 27001:2013 for the development of security policies in IoT

Conference Paper Panel - IoT Security : The Shodan case

Dont expect much from such mechanisms specially when high security level is needed. Passwords in general must be memorable and hence they have very low entropy. Mechanisms exist trying to amplify the entropy of passwords such as password authenticated key exchange. However most of such mechanisms i inspected my self suffer from offline dictionary attacks. Mechanisms such ad RSA secureID (OTP) also aim to improve passwords entropy. Part of the password is known to the user and another part is frequently updated in synchronism between the token and the remote server. Although widely used, such mechanisms are vulnerable to desynchronization attacks by jammers resulting in denial of service and also man-in-the-middle attacks. I haven't met any password mechanizm without a serious flaw.