One-Time Passwords (OTPs) Integration: What You Should Know

One-Time Passwords
One-Time Passwords

With an increase in cyber threats and a general security shift to multi-factor authentication (MFA), one-time passwords (OTPs) are now a common protocol that fulfills the “something you possess” requirement of MFA.

OTPs are quite easy for businesses to integrate into their authentication strategies and it is cost-effective since it uses your customers’ existing mobile devices.

Now, what is OTP authentication and how does it work?

An OTP is a combination of your regular password and an authentication mechanism that acts as an extra layer of security. Now OTPs are further divided into two types; Time-based One-Time Passwords (TOTP) and Hash-based One-Time Passwords (HOTP).

TOTP authentication is a mechanism that relies on time for sending unique passcodes that can only be used for a single login session within a specific time(usually 30-60 seconds). The next time a user wants to access an application or website, they will require a different time-based passcode.
HOTP is an event-based OTP where the moving factor in each code is based on a counter. In most cases, there is a physical token (think Yubiko’s Yubikey) that consistently generates codes and the code is only valid when you request it as the generator and server are synced.

So how does it work?

OTPs are randomly generated by algorithms and thus, make it difficult for hackers to successfully access, unlike traditional passwords. It also means that people cannot reuse the code for multiple accounts. This reduces the risk of attacks that use breached passwords from other sites.

Most OTP authentication involves code (usually fully numeric or alphanumeric) or push notifications being sent to your customer via an SMS service provider after they input their login details.

This process shields your customers from attacks and prevents unauthorized account access.

What are the OTP channels?

SMS and email: The most popular examples of OTP authentication are codes sent by SMS provided by an OTP SMS solution or email. Once your customer enters their username and correct password, a time-based code is sent to the mobile number or email linked to the account. Your customer will enter the code where prompted to complete the authentication process.

Authenticator apps: OTPs can also be delivered through smartphone apps such as Google Authenticator, or integrated into the service provider’s app, for example, a banking app.

Voice Message: Another substitute OTP delivery method is by a voice call on your customer’s mobile device. It enables authentication for your clients with eye constraints. The spoken password is not recorded on the phone either and voice calls are sometimes used as a backup in case the SMS is not delivered.

OTP vs. 2-Factor Authentication (2FA)

What’s the difference between an OTP and 2FA?

An OTP can be utilized as a method of 2FA/MFA while 2FA is used to secure accounts simply put.

2FA has practical applications beyond being used as an autonomous security mechanism where a customer is provided an OTP for every login and it should not be used synonymously with OTP as OTP is just one of many forms of 2FA/MFA and can also stand alone as its own security solution.

Best Practices for One-Time Passwords Setup

Here are a couple of things you need to know when you set up OTPs for your business:

  • Complexity and length of password: The complexity of a password depends upon the randomness of characters used. These characters can be letters and numbers, or both. The length of the code should be 6 to 10 characters long, as it will be convenient for your customer and hard to guess for any attacker.
  • OTP should be the focus: Whenever you send OTP to your customer, make sure it is in the first line of your message, and if you can, make it very bold.
  • Allow extra attempts for OTPs: Make provisions for your customers to resend the OTP in case of any network failure or wrong OTP.
  • Reputed Service Provider: An error-prone OTP service is bad for your business simply because, on average, a user takes only 15 seconds to leave a website. So make sure you are with a web-based multi-channel marketing platform that can handle your needs with ease. It is very important to choose a provider with reliable delivery and a quick response period.

The Pitfalls of OTP Authentication

While OTP authentication will add an extra layer of security to password-only defenses, it still can be compromised fairly easily.

There are now hacking kits that steal OTP codes for the attacker’s chosen targets using an automated bot service now available for purchase which is bad for businesses.

There are a number of attacks that expose the weakness of OTP authentication and allow attackers to access accounts. These include:

  • SIM-Swapping by porting a customer’s number to another device and SIM card.
  • Man-in-the-Middle Attacks where the hacker inserts himself into the communication channel between you and your customers.
  • Phishing through malware that reads your customer’s data.

Final Word

OTP is here to help you reduce compromised accounts and increase the overall security of your business and if you haven’t started, now is a good time to get on board with BSG to protect your customer’s data and give your business a certified security outlook.