Why You Should Avoid Using One-Time Passwords Sent Via SMS


One of the most convenient methods for mobile users to log into applications, and one that many companies rely on to grant access, is the one-time password, or OTP, often shared via SMS. But there is a growing consensus among cybersecurity professionals that OTPs, like traditional passwords, should be phased out, although experts say that’s unlikely to happen anytime soon.

Consumers are advised to be mindful of the different types of one-time passwords and the relative security risks versus the benefits each offers. Experience shows that there is always a way to bypass authentication, but some methods are considered more effective than others, according to Ant Allan, vice president of analysts at Gartner Research. “There is no foolproof method for authentication,” Allan said.

Here’s what consumers need to know about OTPs and online security:

OTPs are vulnerable to online scams

OTPs sent via SMS are more vulnerable to attack by fraudsters through various means such as phishing attacks, SIM swapping and message interception, even if your phone is in your possession, said Tracy C. Kitten, director of fraud and security at Javelin Strategy & Research.

Compounding the problem is that when your mobile account or website is hacked, you may not realize it right away. “You might ask a bank, for example, to send a text message and then resend it, not realizing that someone else is receiving it. It might be 45 minutes before you realize something is wrong and by then it’s too late,” Kitten said.

Use a Google or Microsoft authenticator app

Security professionals say a better option, though not a cure-all, is to download an authenticator app, such as Google Authenticator or Microsoft Authenticator, to a mobile device. Authenticator apps can still be vulnerable to certain types of attacks, such as man-in-the-middle attacks, but they are still more secure than SMS, Allan said.

With an authenticator app, users receive a unique code each time they log in, and the code typically expires after 30 to 60 seconds. Nothing is sent to a phone number. The authenticator is on your mobile device, so if the phone is password protected and you have facial recognition enabled, that greatly reduces the risk that someone could access those codes, Kitten said.

Of course, there are still potential vulnerabilities related to the need to enter a code, says Cédric Thevenet, vice president and head of cyber sales and solutions at Capgemini Americas. For example, imagine someone receives an email that appears to come from a company or vendor they regularly do business with, but is actually a well-disguised phishing attempt. Thanks to AI, these types of phishing emails are becoming harder to detect, says Cédric Thevenet.

If the user clicks on the link, they may be redirected to a website that appears legitimate but is not. The user enters their username and password on the hacker’s site, thinking it is the provider’s site, and then, when prompted for the authentication code, enters that as well. Now, Thevenet explains, the hacker has access to the person’s account.

Consider mobile app push for better protection

An even more secure authentication option works in tandem with mobile apps on a user’s phone. When users log into a website from their bank or other type of provider, they receive a notification in the corresponding app on their phone prompting them to verify their identity via that notification.

This verification method is independent of the device you log in on and is better than SMS or OTP authentication, but some attacks can work against this method as well, Allan said. A hacker could repeatedly try to log into a person’s account using a stolen password and the user would receive multiple messages on their phone to verify. If the person is not careful or simply wants to be undisturbed, they could click to verify, giving the hacker access to the account.

Opt for a hardware security key when possible

An even better option is to use a hardware security key like Yubico. One key can be used across multiple apps and services. From a security standpoint, it’s better than SMS or an authenticator app, Allan said. But there’s an investment. A key can cost $20 to $60 or more, and people have to be careful not to lose it.

It’s also not practical in all situations. An online retailer won’t give every customer a key for reasons of cost and convenience, Thevenet said.

Eliminate passwords with multi-device access keys

While not necessarily a substitute for a one-time password, using multi-device passkeys, which replace the need for passwords, makes it harder for an attacker to break into your accounts. Passkeys consist of a “private key” stored on the user’s computer or phone and public-key cryptography, according to the FIDO Alliance, an open industry association focused on reducing the world’s reliance on passwords.

In addition to eliminating some of the hassle of passwords, passkeys protect users from phishing attacks because they only work on websites and apps they’ve registered. There are still some security concerns, Allan said, but at least it “takes passwords out of the equation, making it harder for an attacker to get started in the first place.”

From a regulatory perspective, access keys may not be considered multi-factor authentication, but they could still be more secure than using a password and SMS, Allan said.

Expect SMS OTPs to remain in use, and a risk

There are a wide variety of options available to help users manage their online connections with greater attention to security, including password managers, but all carry risks and, to some extent, consumers are limited by the authentication methods offered by different providers.

Dusty Anderson, Protiviti’s managing director who leads the company’s digital identity practice, has a client that spends tens of thousands of dollars a month sending OTPs via SMS. Despite the security concerns, the client is sticking to its guns because it’s afraid of rocking the boat, especially with customers who aren’t as tech-savvy and might balk at using a different type of authenticator, she said.

For this and other reasons, Thevenet said OTPs are likely to be around in some form for the foreseeable future. The most common options are inexpensive and easy to use, and despite some risks, they are still better than a simple password, Thevenet said. “Is it better than sending an OTP via SMS? No. Is it better than a simple password? Yes.”



Source link

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top