The future of password security: One-time passwords and the next wave

A padlock resting on a keyboard.
(Image credit: Passwork)

One-time passwords (OTPs) are everywhere in today’s digital world. They protect us and grant us access to platforms we access everyday, such as online banking, social media, the best ecommerce platforms, health insurance, retirement funds, investment accounts, and more.

An OTP is a system-generated code typically made up of digits or letters or a combination thereof. OTPs are typically used in conjunction with conventional, long-lasting passwords. An OTP is only good for a single login session. OTPs were first introduced to enable a risk-based authentication approach. When websites would assess a login attempt as risky, they might then choose to step-up the user-authentication process from only login credentials to login credentials plus an OTP. OTPs are not easy to guess but they are vulnerable to being socially engineered by fraudsters attempting to log in to a genuine user’s account and create some damage. Some systems add an extra layer of protection by requiring users to have something physical, such as a specific gadget, and/or to enter a secret PIN before allowing them to log in with their OTP. While adding OTPs as an authentication measure creates a more secure login process than requiring a password alone, they unfortunately remain exploitable.

It’s worth noting: Likely in response to these vulnerabilities, the Reserve Bank of India (RBI) – India’s central bank and regulatory body – recently urged all financial institutions in the country to discontinue the use of OTPs in favor of alternative authentication mechanisms. With India and the UK being committed partners in cybersecurity, it raises the question: Should the UK follow suit?

Raj Dasgupta

Senior Director of Global Advisory at BioCatch.

The UK OTP universe

OTPs are utilized within the financial sector because they’re relatively cheap, convenient, and compatible with any mobile device. A 2023 Statista study found SMS and email timed-based OTPs remained the most prevalent types of multifactor authentication in the world.

The move to OTPs derives from the understanding that traditional passwords have substantial flaws and are frequently ineffective when it comes to protecting accounts from new cyber threats. OTPs provide a dynamic layer of protection by generating a unique code with each usage, making it more difficult for attackers to get unauthorized access. This additional security feature reduces the risks associated with static passwords, improving overall account protection in an increasingly digital landscape.

Yet they are not faultless, and can easily become compromised by numerous factors, such as social engineering, technological vulnerabilities and accessibility issues. A study from LastPass showed 61% of respondents reused passwords, even though 91% of study participants said they understood the risk of doing so. OTPs can add an extra layer of security, as a second factor of authentication, should one of those repurposed passwords get leaked.

Decoding OTP threats: criminal exploitation and AI integration

Cybercriminals are constantly trying to stay ahead in the cat-and-mouse game of fraud-detection. Fraudsters today bombard us with SMS pumping and smishing attacks, leveraging smartly coded software to bypass extra layers of security and access our OTP codes. SMS phishing involves deceiving people into disclosing their OTPs. Automated phishing powered by AI generates tailored messages that closely mimic legitimate communications, increasing the likelihood of victims divulging OTPs.

Malware infects devices and captures OTPs as they land on a genuine user’s device, like a smartphone. Man-in-the-middle attacks occur when criminals intercept communications between users and OTP providers, allowing them to reroute or seize OTPs for unauthorized use. These approaches jeopardize the security of OTPs, allowing attackers to get around authentication and obtain access to critical information or accounts.

Once criminals have our OTPs, very often, they can take over our bank accounts and transfer funds out. Consumers are also being targeted while online shopping. The e-commerce giant Amazon, for example uses OTPs to verify important deliveries. Recent cases have show Amazon’s system doesn't always stop thieves from stealing packages.

As cybercriminals continue to develop and adapt, the incorporation of AI presents substantial hurdles for cybersecurity experts, emphasizing the critical necessity for strong defense systems to protect against OTP-related attacks.

Bank on it! Deconstructing what it means for banks

Banks – and near every other business with an online presence – started using SMS-based passwords because they were (and are) cheap, convenient, and compatible with any mobile device. But SMS was never quite designed to be a future-proof authentication mechanism. While it might (and, to this point, has) improved the security of online banking experiences around the world, it alone is not enough to deter or stop cyber criminals – especially with the recent proliferation of publicly available AI tools.

To combat this menace, financial institutions must adopt a comprehensive approach, leveraging multiple data points to validate user logins, while striking a balance between compliance, convenience, and security. Consumers need to be able to trust their banks to identify and block fraudulent transactions, and banks need to be able to rely on their fraud-prevention and detection tools to flag those transactions while offering a seamless user experience to their genuine users.

A potential solution lies in the adoption of behavioral biometric intelligence. This approach involves analyzing how individuals interact with web and native mobile applications, offering insights into their digital behaviors. Anomalies in behavior, assessed in real-time, which show significant divergence from established patterns, can indicate potential unauthorized access. Incorporating behavioral biometrics into security measures allows banks to bolster the protection of digital transactions, thereby enhancing overall security. Additionally, it enables a more customer-centric approach, ensuring a smoother and more secure user experience.

Evolution and innovation: The two sides of a coin

More than 98% of organizations worldwide already offer some form of multifactor (MFA) authentication. Use of out-of-band, more secure authentication mechanisms that blend possession, knowledge and inherence factors could be the next step in the evolution of authentication mechanisms. However, amidst these advancements, financial institutions must tread carefully, ensuring that security enhancements do not come at the expense of user experience.

Financial institutions must be careful not to make the login process too complex or time-consuming. A survey conducted by Ping found 66% of UK respondents stopped using online services or accounts due to frustration around the login process. Nearly half of survey participants said they’d switch to a competitor if they felt it offered a smoother digital journey. This underscores the critical importance of harnessing the latest in technology while streamlining the authentication process to retain customers and remain competitive in today's market.

No one solution

Traditional toolkits that look to offer a balance between convenience and security must layer in behavioral biometric intelligence, as it offers banks the ability to monitor how their customers interact online – whether on the web or a mobile environment. A user’s online behavior leaves behind digital breadcrumbs, establishing individualized patterns. When users deviate from those patterns, they stand out, allowing and empowering financial institutions to stop fraudulent transactions before they’re complete and – too often – the money is gone.

OTPs are vital for online security, but they're not foolproof, especially against advanced cyber threats. As banks and other institutions explore new ways to keep us safe, like behavioural biometrics, they also need to make sure that logging in isn't too much of a hassle for customers. Finding the right balance between security and convenience is crucial. By staying ahead of cybercriminals while keeping things easy for users, banks can earn and keep their users’ trust.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Raj Dasgupta is Senior Director of Global Advisory at BioCatch.