One of the most convenient ways for mobile users to log into apps—and the way many businesses rely on to grant access—is a one-time password, or OTP, often shared via text message. But there’s a growing consensus among cybersecurity experts that OTPs, like traditional passwords, should be phased out, though experts say it’s doubtful that will happen anytime soon.
Consumers are urged to pay attention to the different types of one-time passwords, and the relative security risks compared to the benefits each offers. Experience shows that there are always some ways to bypass authentication, but some methods are stronger than others, according to Ant Allen, vice president of research at Gartner. “There are no foolproof methods of authentication,” Allen said.
Here’s what consumers need to know about one-time passwords (OTPs) and online security:
OTP cards are vulnerable to online fraud.
One-time passwords (OTPs) sent via text or SMS are more vulnerable to attack by fraudsters through a variety of means such as phishing attacks, SIM swapping, and message interception, even if you have your phone in your possession, said Tracy C. Keaten, director of fraud and security at Javelin Strategy & Research.
The problem is compounded by the fact that when a mobile or website account is taken over, you may not realize it right away. “You could have a bank, for example, send a text message and then send it back, not realizing that someone else has received it,” says Keaten. “It could be 45 minutes before you realize something is wrong, by which point it’s too late.”
Use the authenticator app from Google and Microsoft
Security experts say the best option, while not a magic bullet, is to download an authentication app, such as Google Authenticator or Microsoft Authenticator, on your mobile device. Authentication apps are still vulnerable to some types of man-in-the-middle attacks, but they’re still more secure than SMS, Allan said.
With an authenticator app, users receive a unique code each time they log in, and the code expires, typically after 30 to 60 seconds. Nothing is sent to the phone number. The authenticator app is on your mobile device, so if your phone is password-protected and you have facial recognition enabled, it greatly reduces the risk of someone being able to access those codes, Kitten said.
There are still potential vulnerabilities that rely on the need to enter a code, says Cedric Thevenet, vice president and head of cyber sales and solutions at Capgemini Americas. For example, let’s say someone receives an email that appears to be from a company or provider they routinely deal with, but is actually a well-disguised phishing attempt. Thanks to AI, these types of phishing emails are becoming harder to spot, Thevenet said.
If an unsuspecting user clicks on the link, it could take them to a website that looks legitimate, but isn’t. The person enters their username and password on the hacker’s site, thinking it’s the service provider’s, and then when asked for an authentication code, they type that in as well. Now, Thevenet explained, the hacker has access to the person’s account.
Consider paying for mobile apps for better protection.
There is a more secure authentication option that works in conjunction with mobile apps on the user’s phone. When users log in to a website of their bank or other type of service provider, they receive a notification in the corresponding app on their phone asking them to verify their identity through this notification.
This method of verification is independent of the device you’re logging in from, and it’s better than SMS or one-time passwords for authentication, but there are attacks that can work against this method as well, Allan said. A hacker could repeatedly try to log into someone’s account using a stolen password, and the user would receive multiple messages on their phone to verify. If the person wasn’t paying attention, or just wanted to stop being bothered, they could tap to verify, giving the hacker access to the account.
Choose a hardware security key when possible.
A better option is to use a physical security key like Yubico. One key can be used with multiple apps and services. From a security standpoint, it’s better than SMS or an authentication app, Alan said. But there’s an investment. The key can cost anywhere from $20 to $60 or more, and people have to be careful not to lose it.
It’s also not practical in all situations. Thevenet said an online retailer wouldn’t give a key to every customer for reasons of cost and practicality.
Remove passwords from the equation with multi-device passkeys.
While using multi-device passkeys, which replace the need for passwords, isn’t necessarily a replacement for a one-time password, it does make it harder for an attacker to break into your accounts. Passkeys consist of a “private key” stored on a user’s computer or phone and public key encryption, according to the FIDO Alliance, an open consortium focused on reducing the world’s reliance on passwords.
In addition to eliminating some of the hassle of passwords, passkeys protect users from phishing attacks because they only work on websites and apps they’re registered with. There are some security concerns, but at the very least, they “remove passwords from the equation, making it harder for an attacker to get started in the first place,” Allan said.
From a regulatory perspective, passkeys may not qualify as multi-factor authentication, but they may be more secure than using a password and SMS, Allan said.
Expect SMS OTPs to remain in use, and there is a risk
There are a wide range of options available to users to manage online logins with a greater focus on security, including password managers, but all of them involve risks and to some extent, consumers are limited to the authentication methods offered by different providers.
One of her clients spends tens of thousands of dollars a month sending one-time passwords via SMS, says Dusty Anderson, managing director of Protiviti, who leads the firm’s digital identity practice. Despite security concerns, the client is sticking with it because it’s afraid of causing trouble, especially with customers who aren’t tech-savvy and might be hesitant to use another type of authentication tool.
For other reasons, Thevenet said, temporary passwords are likely to remain available in some form for the foreseeable future. The most common options are low-cost and easy to use, and despite some risks, they are still better than just a password alone, Thevenet added. “Is sending a temporary password via SMS the absolute best solution? No. Is it better than just a password? Yes.”
“Freelance web ninja. Wannabe communicator. Amateur tv aficionado. Twitter practitioner. Extreme music evangelist. Internet fanatic.”