- OTPs via text message, or SMS, are vulnerable to attacks by fraudsters through a variety of means such as phishing attacks, SIM swapping and message interception.
- There is a growing consensus that one-time passwords should be replaced due to the cybersecurity risks.
- While not perfect, security experts say a better option is to download an authenticator app, like Google Authenticator or Microsoft Authenticator, on mobile devices.
One of the most convenient methods for mobile phone users to log into apps — and one many companies rely on to grant access — is the one-time password, or OTP, often shared by text. But there's a growing consensus among cybersecurity professionals that OTPs, like traditional passwords, should be eliminated, even though the experts say it's doubtful that will happen any time soon.
Consumers are being urged to be mindful of the different types of one-time passwords, and the relative security risks versus benefits that each offers. Experience shows there is always some way of defeating authentication, but some methods are considered stronger than others, according to Ant Allan, a vice president analyst at Gartner Research. "There are no bulletproof methods for authentication," Allan said.
Here's what consumers need to know about OTPs and online security:
OTPs are vulnerable to online scams
OTPs via text message, or SMS, are more vulnerable to attacks by fraudsters through a variety of means such as phishing attacks, SIM swapping and message interception, even if your phone is in your possession, said Tracy C. Kitten, director of fraud and security at Javelin Strategy & Research.
Get Tri-state area news delivered to your inbox. Sign up for NBC New York's News Headlines newsletter.
Compounding the issue is the fact that when you have a mobile account or website taken over, you may not be aware of it right away. "You could ask a bank, for instance, to send a text and then resend, not realizing someone else is getting it. It could take you 45 minutes before you realize something's wrong and at that point it's too late," Kitten said.
Money Report
Use an authenticator app from Google, Microsoft
Security professionals say a better option, though also not a panacea, is to download an authenticator app, like Google Authenticator or Microsoft Authenticator, on a mobile device. Authenticator apps can still be vulnerable to some types of attacks like "adversary in the middle" but they're still safer than SMS, Allan said.
With an authenticator app, users receive a unique code every time they log in, and the code expires, generally after 30 to 60 seconds. Nothing is being sent to a phone number. The authenticator is on your mobile device, so if the phone is password-protected and you have facial recognition enabled, it greatly reduces the risk of someone being able to get access to those codes, Kitten said.
Of course, there are still potential vulnerabilities based on the need to enter a code, says Cedric Thevenet, vice president and head of cyber sales and solutioning at Capgemini Americas. Say, for example, a person gets an email that seems to be from a company or provider they routinely does business with, but, in reality, it is a well-disguised phishing attempt. Thanks to AI, these types of phishing emails are becoming harder to detect, Thevenet said.
If the unsuspecting user clicks on the link, it might take him to a website that looks legitimate, but isn't. The person enters his username and password on the hacker's site, thinking it's the provider's site, and then, when asked for the authenticator code, types that in as well. Now, Thevenet explained, the hacker has access to the person's account.
Consider mobile app push for better protection
An even more secure option for authentication works in tandem with mobile apps on a user's phone. When users log in to a website for their bank or another type of provider, they receive a notification in the corresponding app on their phone prompting them to verify their identity through that notification.
This verification method is independent of the device you are logging in on, and better than SMS or authenticator OTPs, but there are attacks that can work against this method too, Allan said. A hacker could repeatedly try to log in to a person's account using a stolen password and the user would get multiple messages on his phone to verify. If the person isn't paying careful attention, or just wants to stop being bothered, he could click to verify thus giving the hacker account access.
Opt for hardware security key when possible
An even better option is to use a hardware security key like Yubico. One key can be used with multiple apps and services. From a security standpoint, it's better than SMS or an authenticator app, Allan said. But there's an investment. A key can cost in the range of around $20 to $60 or more and people have to be careful not to lose it.
It's also not practical in every situation. An online retailer isn't going to give a key to each of its customers for cost and practicality reasons, Thevenet said.
Take passwords out of the equation with multi-device passkeys
While it's not necessarily a replacement for an OTP, using multi-device passkeys, which replace the need for passwords, makes it more difficult for an attacker to break into your accounts. Passkeys consist of a "private key" stored on the user's computer or phone and public key cryptography, according to the FIDO Alliance, an open industry association focused on reducing the world's reliance on passwords.
In addition to eliminating some of the annoyances of passwords, passkeys protect users from phishing attacks because they work only on their registered websites and apps. There are still some security concerns, Allan said, but at the very least, it "takes passwords out of the equation, so it makes it more difficult for an attacker to get started in the first place."
From a regulatory point of view, passkeys may not qualify as multi-factor authentication, but could still be safer than using a password and SMS, Allan said.
Expect OTPs via SMS to remain in use, and a risk
There are a wide variety of options for users to manage their online logins with greater attention to security, including password managers, but all have risks and to some extent, consumers are limited by the authentication methods different providers offer.
Dusty Anderson, managing director at Protiviti, who leads the firm's digital identity practice, has a client that spends tens of thousands of dollars a month to send OTPs via SMS. Despite security concerns, the client is digging in its heels because it's afraid of rocking the boat, especially with customers who aren't as tech-savvy and may balk at using another type of authenticator, she said.
For this and other reasons, Thevenet said OTPs are likely to be around in some form for the foreseeable future. The most common options are low cost and easy to use, and despite certain risks, these methods are still better than just a password alone, Thevenet said. "Is it the greatest solution ever to send OTP through SMS? No. Is it better than just a password? Yes."