Passwords on their own aren’t secure — this isn’t news. Neither is the fact that, to make it harder for attackers to gain access to accounts via passwords, using secondary authentication factors, such as one-time passwords, is important.
But how secure are OTPs? Don’t be lulled into a false sense of security; despite their benefits, they can be used by attackers to get into accounts.
The struggle with one-time passwords
By adding a layer of security between attackers and accounts, OTPs offer more protection and are an upgrade from password-only authentication. But they aren’t a complete solution to the problem.
“Can OTPs be defeated? Yes,” said Merritt Maxim, vice president and research director at Forrester Research. “But they’re an extra layer. And, if hackers find one system just using passwords versus one with passwords and OTPs, they’re more likely to target the former.”
To a motivated attacker, however, that extra layer isn’t difficult to defeat when compared to other authentication methods, such as biometrics or hardware keys.
The evolution of OTPs
One of the first OTPs to hit the market was a dongle with a random number generator (RNG). It showed the same number as a main device housed within the company’s server room. Unfortunately, these devices were expensive.
A less expensive option, especially as technology advanced, was for companies to harness the smartphones everyone was already carrying around, said Jack Poller, analyst at Enterprise Strategy Group, a division of TechTarget. OTPs then started to appear in different forms, the most common being passcodes sent via SMS, email or phone call.
While their security wasn’t perfect, OTPs enabled companies to overcome a major authentication issue: improve security without negatively impacting UX. Increasing security requirements that introduce friction could result in loss of customers and business.
“We know some banks have deliberately not implemented MFA [multifactor authentication] because they are more concerned with customer retention than fraud losses,” said Ant Allan, analyst at Gartner.
Universal OTP use is hindered, however, because not everyone has access to the same technology. “We still see a need for hardware OTP tokens because not everyone has a suitable smartphone or is willing to use their personal phone for work,” Allan said. “An Eastern European bank had only two-thirds of customers with smartphones, and only half of those even had data plans.”
In a business context, however, employers have greater control over employees and can mandate authentication factors more easily, but the issues become cost and employee willingness. What type of OTP technology can a company afford? Purchasing hardware keys for each employee isn’t cheap. And will employees use their own devices for work? Many may balk at installing authentication apps on their personal devices.
And beyond cost and UX is the challenge of preventing and defending against OTP attacks.
Common OTP attacks
Attackers can abuse OTPs in multiple ways, including SMS code theft, SIM swap and email hijacking attacks.
SMS code capture
The SMS protocol was created when landlines were the norm. At that time, no one foresaw future security issues, Allan said. Due to how “dumb” SMS is, companies are limited in their ability to further secure this method.
Signaling System No. 7 (SS7) was introduced in the 1970s. It enables the passing of calls and SMS between phone networks. SS7 vulnerabilities have given attackers access to the same information phone companies have, including the ability to read text messages.
Attackers can also steal a user’s credentials through phishing and social engineering tactics. Then, using SS7 vulnerabilities, they conduct man-in-the-middle (MitM) attacks to steal or snoop on SMS OTPs.
SIM swaps involve social engineering to trick phone company employees into porting a customer’s phone number to a new device and SIM card. The attacker collects a specific customer’s information to sound convincing during the conversation with a phone company. Money can also help smooth the process.
“The random store employee who can access accounts may get paid a few hundred a week from their employer, so an offer of $500 or so in cash might be enough,” Poller said.
This attack is still prevalent, Poller added. He recounted a recent experience where a friend fell prey to someone who did a SIM swap so they could drain the friend’s cryptocurrency wallet.
A study by Princeton University found 80% of SIM swap attacks were successful.
Two-factor authentication systems enable SMS or email for a second factor, which are just as likely to be phished for credentials. A 2021 IBM report found 17% of businesses were breached directly due to email attacks.
If an email account is protected solely by a password, attackers can hijack the account using a MitM or social engineering attack and then capture OTPs sent to it. Security is only as strong as the weakest link.
How to improve OTPs
While the danger of OTP attacks isn’t new, it’s unlikely companies will abandon OTPs anytime soon.
U.K. Finance wants to deprecate SMS but admitted there aren’t any suitable alternatives, Allan said. In the U.S., NIST suggested deprecating SMS OTPs more than five years ago, but they remain in use every day.
Until a better option is found, OTPs can be made more secure.
One potential solution is wider adoption of timed OTPs (TOTPs). With TOTPs, users have a limited amount of time to enter the passcode before it expires. It’s an incremental gain, Maxim said, but is an option to add even just a little more security, which may be enough to turn away some attackers.
Another option is using a smartphone’s push notifications instead of SMS to send passcodes or approve account access. Push notifications are more secure than SS7-based SMS. A potential disadvantage of this method is push fatigue, where users absent-mindedly approve access.
Returning to previous options, such as the RNG dongle, is another option. Companies could mandate the use of security keys from companies such as Yubico and Feitian, but depending on the number of employees, this option could be expensive.
Alternately, companies could require the use of authentication apps, use push notifications that require more interaction beyond hitting OK or capture biometric information.
OTPs aren’t going anywhere. “We know OTPs aren’t watertight — no method is some completely safe — but they have advantages in terms of cost and usability, which factor into enterprise decision-making,” Allan said.
Until a more secure method that is also user-friendly is adopted, companies should look into making the OTP safer.