Over the past few years, there has been a noticeable move away from what has been the norm for decades – communication and business conducted in person or over the phone – toward increasingly digital-only interaction.
Customers today want to communicate with companies and financial institutions from their smartphones or tablets. A digital presence is expected, and it goes far beyond just having a website. From eBay and Amazon purchases and PayPal transfers, to financial transactions made over banking websites and apps, the more that business is performed online, the more customers need authentication to protect them from cyberattacks.
Not too long ago, a prudent course of action to reconcile the rise in fraud threats was to shore up the inherently unsecure username/password security approach by sending the end user a SMS message that contained a one-time passcode (OTP) in order to verify an online transaction.
But eventually, this, too, became unsecure. OTPs can be intercepted, and in most cases are sent to users unencrypted. The one-time passcode is meant to be entered into the same transactional page that the customer enters their name and password. But if their device, or the page itself, has been compromised by malware, then fraudsters will be able to harvest the OTP along with the username/password combo, and then the customer’s account is at the mercy of the cybercriminal.
Earlier this year it was discovered that an updated version of the malware ‘Android.Bankosy’ was present on a number of Android OS phones in the Asia-Pacific region. Once the malware was installed on the victims’ devices, it opened a back door, collected a list of system-specific information from the phone and sent it to a server set up to collect the stolen data and reveal infected devices’ unique IDs. Once this was completed, all incoming SMS messages, including those that contained OTPs, could be captured, allowing the malware to steal funds from online accounts if the victims had also previously had their login credentials compromised.
This is hardly an isolated incident, and SMS-delivered OTPs have been compromised by cybercriminals using numerous techniques. For this reason, this type of second-factor authentication has come under increased scrutiny and criticism. In August of this year, the US National Institute of Standards and Technology (NIST) recommended that SMS no longer be used as an OTP delivery system because of the unencrypted channel’s inherent weakness in preventing cyber fraud. But well before then, there has been a distinct move away from SMS-based user authentication and toward other factors that are more secure and user-friendly.
What’s more, authentication factors have come a long way since the hey-day of the random-generated passcode number sent though SMS. Handheld devices have a lot more built-in technology than laptops or desktops, and the smartphone (and its cousin, the tablet) have been leveraged for more secure forms of transaction verification. These include push notifications, biometric facial, fingerprint or voice recognition, and security software that can be integrated into a bank’s mobile application.
So with the advent of more secure authentication methods and their increasing dominance in the market, the question must be asked: Are we witnessing the death of the SMS-delivered OTP as an authentication factor?
The answer depends on just how secure these more advanced and stronger authentication methods really are, and in the face of them, whether SMS-delivered OTP is still of any use. Let us look at some of these ‘next generation’ authentication methods and their best practices:
Push Authentication: Push notifications allow real-time, quick and secure messaging, which can be responded to instantly to authenticate or deny a transaction. The message is sent out-of-channel and is encrypted. There is no PIN or password to type into a webpage, putting it out of the reach of cybercriminals. Its strong security is also highly convenient, making for a frictionless user experience.
Biometric Recognition: Biometric technology enjoys the perception of being highly secure, which is important, because if the technology is not perceived to be secure then customers are not going to use it. Fingerprint, face and voice recognition scanners are improving as mobile devices improve, and many smartphones have built-in fingerprint readers. Like Push, biometric authentication takes seconds to execute and is more convenient for the end user than requiring them to enter a one-time passcode.
VoiceOTP Audio Message: VoiceOTPs deliver end users a passcode via phone call. When the user answers his or her phone, an audio message is played, giving a brief introduction and then a randomly-generated passcode is “spoken,” making the OTP impossible to intercept.
Mobile Software Tokens: Unlike SMS OTPs, software-based one-time passcodes that help validate login and transactional activity are secured by encryption and other methods, making them useless to cybercriminals if intercepted. A mobile-application-based OTP is delivered to a user’s phone or tablet and appears on screen, meaning the user doesn’t have to toggle between different apps to enter the passcode.
As we can see, multi-factor authentication that is out-of-channel and smartphone (or tablet)-centric provide inherently superior security compared to the aging SMS OTP second-factor authentication approach. It is also more convenient, providing a near-frictionless user experience.
But this does not mean that the SMS delivered password is completely obsolete. The NIST recommendation is most relevant in fully-developed digital markets such as North America, Europe and elsewhere. Its position on SMS-delivered OTPs is aimed squarely at the US, where smartphones and tablets are ubiquitous. In less developed markets where there is little smartphone penetration and the old model “dumb-phones” are still the norm, SMS OTPs are indeed still very useful, as there are few alternative second-factor authentication methods available for these end users.
So is the SMS-delivered OTP dead? Not quite. It may be too soon for SMS’s funeral, but the authentication factor is getting on in years and should be considering retirement.