One-time passwords (OTPs) are everywhere – we have all experienced them in our daily lives. An OTP, which can sometimes be called a one-time PIN, one-time passcode, or one-time authorization code, works as a dynamically generated set of numbers or letters designed to grant one-time access to an application or service. OTPs change every time the user attempts to log in, and can be sent to users over SMS, email, mobile push notifications, or messaging services like WhatsApp.
Apart from passwords, OTPs are probably the best-known authentication method we have, but like any security method, we should not take them for granted. Should OTPs be as popular as they are? Let’s consider the pros and cons carefully to see whether OTPs make sense for your business.
The good
OTPs offer a better UX than traditional authentication methods because users don’t have to create or remember anything. Instead of having to come up with a unique password or using a password manager to create a random password for every account, remember where they stored it, and retrieve it every time they want to log in, OTPs just require entering a phone number or an email address and retrieving the code.
OTPs, like passwords, also have the advantage of familiarity. Even my parents know what OTPs are. This lack of a learning curve means that if a business uses OTPs, it can reach a wide number of users.
OTPs are also multi-channel. For example, companies can use OTPs over SMS or over email to verify that users own specific phone numbers or email addresses. In both cases, the system can check who has possession of a given phone or email account. Since passwords are based on knowledge, users can either forget their password, or an attacker can obtain their passwords via nefarious means. OTPs are thus more secure than legacy authentication methods because they check a possession factor, which takes a bit more effort for attackers to compromise. It’s a higher bar for OTPs.
The bad
OTPs present variable costs of authentication over SMS. Whether the business maintains its own messaging infrastructure, or if it uses a third party like Twilio or Infobip, those SMS messages each cost money to send. If the company has hundreds of millions of users, the costs add up. The company gets charged for every login. The more an app gets accessed, the more the company pays.
OTPs can also have reliability issues. While it’s great that OTPs over SMS require users to possess their phones, OTPs also depend on SIMs and phone connectivity. That means that user connectivity can impact their ability to access the company’s services. OTP messages might also drop and not get delivered, depending on network connectivity. If users don’t have service or are traveling internationally on airplane mode, OTPs are often not available.
Finally, OTPs bring their own set of potential security vectors that malicious actors may exploit, especially using social engineering through SMS phishing, often by mirroring legitimate workflows. OTPs are susceptible to SIM swapping, man-in-the-middle (MITM) attacks, and MFA fatigue. OTPs are more secure than passwords, but they are still less secure than many other authentication methods.
Tips to avoid the ugly
If the company currently uses OTPs and it wants to switch or evolve its thinking on OTP authentication, it will need to answer the following question: What can I use that reduces costs, improves UX, is more secure, and improves reliability? Here are three authentication methods to consider:
- Time-based one-time password/passcodes: (TOTP) These are generated like an OTP, but also includes the current time as an input. TOTPs are just OTP codes that cycle out every 30, 60, or 90 seconds. Teams can deploy TOTPs with a hardware token, like a physical fob or a security key, or a software token, like through an authenticator app such as Authy or Google Authenticator. Consider using TOTPs for multi-factor authentication, rather than just OTPs. TOTPs still verify possession, but are more secure -- they are much harder for attackers to compromise via MITM attacks because the codes are never transferred over the wire. TOTPs are immune to SIM swapping (because they do not depend on your SIM) and they work as long as you have an internet connection, even just over Wi-Fi, so you can use them when traveling internationally. A TOTP renders many OTP cons moot, although phishing is still technically feasible. However, TOTPs do introduce some friction.
- Passkeys: Many companies have found that passkeys are an easy and popular way for users to sign up to apps or websites without using a password. Users can interact with passkeys just like they already unlock their smartphones or computers: with a fingerprint, a face scan, a pattern, or a PIN. Passkeys are more secure and make logging in easier by replacing a knowledge-based credential with a stronger and more user-friendly form of authentication. Passkeys verify possession. If the user base is very phone heavy and the company wants to verify them based on their possession of their phone, use passkeys. Compared to passwords and OTPs, passkeys offer a better UX and security because they also use biometrics – 2FA is built in. Passkeys are also resistant to phishing attacks and credential theft, another advantage over passwords and OTPs.
- Trusted end-to-end encrypted channels: If neither TOTP or passkeys make sense, try authenticating via trusted end-to-end encrypted channels like WhatsApp. This method also makes it harder for an attacker to compromise the company’s service. Like TOTPs and passkeys, trusted channels also lower costs compared to OTPs over SMS. Furthermore, users may already use a given trusted channel in their daily lives, so they’ll be familiar with the UX.
The world moved from passwords to OTPs because of the pros: better UX, familiarity, and multi-channel. They remain a popular and usable authentication method for the right use case. However, the cons of OTPs let attackers get their hands on these codes via social engineering and impact the cost of doing business at large login volumes. There’s a clear solution for OTP skeptics: either deliver and verify these codes in a different way, or use a trusted end-to-end encrypted medium.
Rishi Bhargava, co-founder, Descope
