Since the 2000s, One-Time Passcode (OTP) authentication has been a popular method for verifying online transactions in the banking, finance, and fintech industries. By generating a unique code for each transaction or login attempt, OTPs add an extra layer of security (usually in the form of two-factor authentication or 2FA) beyond traditional passwords. Another reason for the popularity of OTP was its convenience for users.
However, as cyberattacks become more sophisticated, OTP authentication—particularly when delivered via SMS is becoming increasingly vulnerable to threats like SIM swapping. Recent data shows that SIM-swapping complaints to the FCC have doubled, increasing from 275 in 2020 to 550 in 2023. These growing risks raise concerns about the reliability of OTPs as a secure authentication method, especially in sensitive sectors like finance and banking.
In today’s article, we will discuss the security vulnerabilities of OTPs. We will also explore why alternative authentication methods like biometric verification are a more secure solution for protecting sensitive transactions. Let’s kick things off with the basics of one-time passwords to ensure everyone is up to speed.
OTP (One-Time Passcode) authentication is a security method used to verify a user's identity during online transactions. OTPs are typically used in combination with another authentication method like a password, making it a form of two-factor authentication (2FA). Unlike traditional passwords which remain the same until changed, an OTP is a unique code that is generated for a single use.
To generate an OTP, a secure algorithm is used to create a random string of characters that are hard to guess. This code is then sent to the user through a delivery method such as SMS, email, or a dedicated app. Once the user enters this code, it becomes invalid and cannot be reused for future verification. These passcodes also have a time limit within which they can be used after which they become invalid—a feature that was introduced to further enhance their security.
There are different ways OTPs can be delivered to users, each with its own advantages and limitations. Let’s explore some of the common methods used in the banking/finance industries:
SMS-based OTP: With this method, the one-time passcode is delivered via SMS to the user’s registered mobile phone number. SMS-based OTPs are popular due to their ease of use, convenience, and accessibility since almost everyone has a phone number and a mobile device. Users also don’t require users to install any extra software on their devices to receive an OTP text message. Despite these benefits, this method has become increasingly vulnerable to attacks, such as SIM swaps and interception via protocol vulnerabilities.
Email-based OTP: With email-based OTP authentication, the one-time passcode is sent to the user’s email that they registered while creating an account. Similar to SMS, this method is easy to use and widely accessible since almost everyone using banking and fintech services already has an email. Users simply need to check their inbox to retrieve the code and enter it into the appropriate field. This method, however, relies on the security of the user’s email account. If an attacker gains access to the user’s email, they could intercept OTPs and compromise security.
App-based OTP: App-based OTPs are generated by mobile applications such as Google Authenticator or Microsoft Authenticator. Unlike SMS or email, this method is much more secure since the code generated by these apps is much harder or almost impossible to be hijacked by attackers unless they physically get access to the user’s device. However, users need to install an authenticator app on their devices, which creates some friction when compared to a method like SMS-based OTP.
Despite their popularity, one-time passcodes are associated with many risks, especially when delivered via SMS and email. Let’s explore the common risks associated with OTP authentication.
SIM Swap Attacks: SIM swap attacks occur when cybercriminals take control of a victim’s mobile phone number by tricking the mobile carrier into transferring the number to a SIM card controlled by the attacker. Once the attacker gains access to the phone number, they can intercept OTPs sent via SMS and use them to gain access to the victim's bank accounts or other sensitive services.
SS7 Protocol Vulnerabilities: The SS7 protocol is an international telecommunication protocol standard that defines the rules of how network components in a public switched telephone network exchange information and control signals. Unfortunately, the SS7 protocol has serious security loopholes that allow attackers to intercept SMS messages, including OTPs.
Phishing and Social Engineering Attacks: In phishing attacks, cybercriminals create fake websites or send fraudulent messages that mimic legitimate services. They trick users into entering their emails and passwords, thinking they are logging into a secure site. These attacks are usually aimed at getting access to a user’s email, and they can be used to access OTPs that are sent via email.
SMS-based OTPs, though widely used in banking and fintech, come with significant limitations that reduce their effectiveness in securing financial transactions.
Evolving Security Concerns: In their early days, OTPs delivered via SMS were considered a strong form of two-factor authentication (2FA). However, as cyber threats have become more sophisticated over the years, OTPs have become vulnerable to several attacks like SIM swapping as discussed in the previous section.
Reliability Issues: Another challenge with SMS-based OTPs is the potential delay in message delivery. Factors such as poor network coverage, carrier issues, or international messaging constraints can cause OTPs to arrive too late. This can be frustrating to users who may want to access their accounts immediately.
SMS-based OTPs can be costly: Another significant limitation is the cost of sending OTPs through SMS. Companies may have to pay for each SMS message delivered to their users, which can lead to substantial monthly expenses, especially for large financial institutions with millions of customers. This makes SMS OTPs not only a security risk but also a costly and inefficient option for businesses in the long term.
Due to security risks surrounding OTP authentication and other limitations like the high costs, efforts have been put in place over the years to come up with better alternatives. Two of the most promising alternatives are biometric verification and passwordless authentication. Let’s explore them in detail.
Biometric authentication uses unique human characteristics like fingerprints, facial recognition, voice patterns, or iris recognition to verify a user's identity. These methods offer higher security because they are based on traits that are unique to each individual and difficult to replicate. It has been proven that even twins have some differences in the physical structure of fingerprints, faces, or irises. Unlike OTPs, which can be intercepted or stolen, biometric data is much harder for attackers to compromise.
However, one of the drawbacks of using biometric authentication methods like facial recognition is that attackers can attempt to spoof biometrics using photos, videos, or voice recordings of legitimate users. This is where liveness detection comes into play. Liveness detection ensures that the biometric input is coming from a real person who is physically present at the time of authentication. Biometrics with liveness detection can be an effective and secure authentication method that can be used alone or in combination with passwords for 2FA.
Passwordless authentication is an emerging security technique that allows users to verify their identity without the need for traditional passwords or OTPs. In a passwordless system, users authenticate themselves through methods such as biometrics, security keys, or links sent to trusted devices or apps. This eliminates the need to remember or manage passwords, which reduces risks like phishing attacks that are associated with passwords and OTPs.
Increased security: Since there are no passwords to steal, attackers have fewer opportunities to breach accounts. This makes passwordless methods resistant to phishing and other forms of credential-based attacks.
Improved user experience: Without the need to enter passwords or wait for OTPs, users can log in more quickly and easily, improving their overall experience. For instance, logging with facial recognition simply requires one to look at their device, which is much more convenient than entering a long password.
Reduced Costs: Managing passwords and dealing with password resets can be expensive for companies. Passwordless authentication reduces these operational costs by eliminating the need for password management systems and all forms of customer support related to forgotten passwords or lockouts.
Stronger Compliance: Many regulations require financial institutions to use strong authentication methods to protect user data. Passwordless systems often meet or exceed such compliance requirements.
With the increasing threats associated with passwords and one-time passcodes, it’s clear that financial institutions need to adopt more advanced authentication techniques. Banks and fintech companies should consider moving from OTPs and passwords to adopt advanced authentication solutions like biometric verification and other passwordless authentication methods for both primary and multi-factor authentication (MFA).
Multi-factor authentication, which requires users to provide two or more verification factors, offers a higher level of security. MFA can be used with adaptive intelligence—where authentication methods adjust based on user behavior, device information, or risk level.
Players in the banking and fintech sectors can also adopt biometric verification with liveness detection. This method provides a robust defense against many of the current vulnerabilities faced by OTPs. The good news is that most of the modern consumer devices support fingerprint scanning and have advanced cameras that can be effective for facial recognition with liveliness.
However, it is also crucial for different players to consider privacy and security concerns with biometrics in the event that attackers gain access to a user’s biometric data that is stored on servers. That’s where more advanced methods like Keyless’ Zero-Knowledge Biometrics technology come in. With this technology, users can access their accounts using facial recognition but without having their data stored anywhere on the internet.
Conclusion
One-Time Passcodes (OTPs) were once a popular and convenient method for securing online transactions. However, as cyberattacks have become more sophisticated, their vulnerabilities have become increasingly evident, particularly when delivered via SMS. Threats like SIM swapping and SS7 protocol attacks have made OTPs less reliable, especially for companies in sensitive sectors like finance and banking.
To address these risks, financial institutions should consider alternatives like biometric verification with liveness detection and passwordless authentication. These methods offer stronger security, improved user experience, and reduced costs compared to OTPs. By adopting advanced authentication techniques, banks and fintech companies can better protect their customer's sensitive information and stay ahead of evolving cyber threats.