One of the most convenient ways for mobile phone users to log into apps, and one that many businesses rely on to grant access, is a one-time password (OTP), often shared over text. But cybersecurity experts are wary of the idea that OTPs are Like a traditional passwordThe situation should be resolved, although experts doubt that will happen anytime soon.
Consumers are urged to be aware of the various types of one-time passwords and the relative benefits and security risks of each. According to Ant Allan, vice president analyst at Gartner Research, experience shows that there will always be ways to break authentication, but some methods are considered stronger than others. “There is no foolproof method of authentication,” Allan said.
Here’s what consumers need to know about OTPs and online security.
OTPs are vulnerable to online fraud
Tracy C. Kitten, director of fraud and security at Javelin Strategy and Research, said OTPs via text message (SMS) are more vulnerable to fraudsters using a variety of methods, including phishing attacks, SIM swapping and message interception, even if the phone is in the user’s possession.
Further complicating the issue is the fact that if your mobile account or website has been compromised, you may not notice it right away. “For example, if you ask your bank to send you a text message, then resend it, you might not realize that someone else has received it. It could be 45 minutes before you realize something is wrong, and by that point it’s too late,” Kitten says.
Use Google or Microsoft authentication apps
While it’s not a panacea, security experts say a better option is to download an authenticator app such as Google Authenticator or Microsoft Authenticator to your mobile device. Although authenticator apps can be vulnerable to some attacks, such as “man-in-the-middle,” they are still more secure than SMS, Allan said.
With an authenticator app, users receive a unique code every time they log in, and that code typically expires after 30 to 60 seconds. Nothing is sent to their phone number. Because authenticator apps are on your mobile device, the risk of someone gaining access to the codes is greatly reduced if your phone is password protected and has facial recognition enabled, Kitten says.
Of course, the code required still leaves potential vulnerabilities open, says Cedric Thevenet, vice president and head of cyber sales and solutions at Capgemini Americas. For example, someone might receive an email that appears to be from a company or provider they regularly do business with, but is actually a well-disguised phishing scam. Thanks to AI, these types of phishing emails are becoming harder to detect, says Thevenet.
When an unsuspecting user clicks on the link, they may be taken to a website that appears legitimate but isn’t. They enter their username and password on the hacker’s site, thinking it is their ISP’s, and then enter a verification code when prompted. The hacker can then access the user’s account, Thevenet explained.
Consider pushing a mobile app for better protection
A more secure authentication option works in conjunction with a mobile app on the user’s phone: when the user logs into a bank or other type of provider’s website, a notification appears in the corresponding app on the phone, through which the user is asked to verify their identity.
This authentication method is independent of the device you’re using to log in, making it better than SMS or OTP authentication, but Alan says it still has a viable attack vector. Hackers repeatedly try to log into an account using a stolen password, and users receive multiple messages on their phone asking them to confirm. If users aren’t paying attention, or simply don’t want to be hassled, they could click confirm and give the hacker access to their account.
Choose hardware security keys when possible
An even better option is to use a hardware security key, like those from Yubico. You can use one key across multiple apps and services, which Allan says is better from a security standpoint than SMS or an authenticator app. But it does require an investment: Keys can cost anywhere from $20 to $60 or more, and you have to be careful not to lose them.
It also isn’t practical in every situation: Online retailers probably won’t hand out keys to each customer for cost and practical reasons, Thevennet said.
Eliminate passwords with Multi-Device Passkey
While it doesn’t necessarily replace OTPs, a multi-device passkey that eliminates the need for passwords makes it harder for attackers to break into accounts. According to the FIDO Alliance, an open industry group focused on reducing reliance on passwords, a passkey consists of a “private key” stored on a user’s computer or phone and public key encryption.
Not only does the Passkey eliminate some of the hassle of passwords, it also protects users from phishing attacks because it only works with websites and apps you register with. Allan said that while security concerns still remain, at least “by eliminating the need for passwords, it makes it harder for attackers to launch an attack in the first place.”
While a passkey may not qualify as multi-factor authentication from a regulatory standpoint, Allan said it may still be more secure than using a password and SMS.
OTP via SMS is expected to continue to be used in the future, and the risk is
There are various options available to security-conscious users to manage their online logins. Password ManagerHowever, all have risks, and consumers are limited to some extent by the authentication methods offered by different providers.
Dusty Anderson, a managing director at Protiviti who leads the firm’s digital identity practice, said she has a client that’s spending tens of thousands of dollars a month to send OTPs via SMS, and despite security concerns, the client is staunchly resisting, fearing rocking the boat with customers who are especially less tech-savvy and may be hesitant to use a different type of authentication system.
For these and other reasons, Thevenet said, OTPs will likely continue to be around in some form for the foreseeable future. The most common options are low-cost and easy to use, and while there are certain risks, Thevenet said these methods are better than passwords alone. “Is sending an OTP over SMS the best solution ever? No. Is it better than just a password? Yes.”
