One-Time Passwords (OTPs)

Traditional passwords don't provide an adequate amount of security due to poor security hygiene by a majority of computer users. As a result, the one-time password (OTP) has become a popular method of two-factor authentication for security teams looking to worry less about the security issues posed by the static password.

What are one-time passwords?

A one-time password is an automatically generated code sent to a known device owned by the user after they attempt to log in. To authenticate themselves, they must enter the code, typically sent via text message or email. Unlike traditional passwords, which do not change, the one-time password is valid for one use only, in a set period, typically five to 10 minutes.

There are also other methods to obtain this code other than a text message: mobile device apps or pocket-size key fobs are other options.

How a one-time password works

The concept behind the one-time password is pretty straightforward. Where a password is something you know, a one-time password attempts to establish "something you have" whether that is the mobile device or at least access to the email address where the code is being sent.

Entering the OTP does not necessarily establish possession of a device since there are ways to get a list of codes ahead of time and these codes can be intercepted. Some organizations have turned to solutions like Google Authenticator or Microsoft Authenticator to create these codes.

Examples of when one-time passwords are used

The one-time password is used frequently in situations where the user is attempting to access personal information. We can think of several examples that you already likely run into, perhaps daily:

• Accessing bank or loan accounts
• Making changes to an online travel reservation
• Verifying identity during a webchat with your streaming service
• Verifying identity when logging on from a new device for a shopping app

Security issues with one-time passwords

While one-time passwords provide an extra layer of security over static passwords, there are still security issues. The whole concept of the OTP is based on the fact that the authentication server is reaching out to the person to confirm that they indeed are trying to log in, but attackers are good at circumventing these security systems.

Malicious attackers will use phishing so when you enter your one-time password you are actually just giving it to the hacker to enter. There are bots created solely for stealing these codes, and there are also SIM swaps where an attacker can intercept the code. The password is also still part of the process as well. No password-based system will truly ever be completely secure.

What is a better and more secure authentication?

This is why Beyond Identity has focused on taking the password entirely out of the authentication process. Passwordless MFA is a modern and secure way to authenticate and verify the identity of your users.

Why passwordless MFA?

Think about the major security incidents over the past few years. Many of these attacks were the result of compromised credentials. A majority of hacking attacks can be sourced back to the password. With a passwordless authentication system, you are no longer susceptible to password-based attacks.

The one-time password decreases the likelihood of a password-based attack, but it does not eliminate it. Learn more about passwordless MFA vs one-time codes.

Beyond Identity's customer authentication solution uses cryptography to generate keys tied to the specific device and uses biometrics already on the device itself to provide even greater certainty of identity. It's time to remove the one-time password as an authentication method for your customers. Learn more about securing your customers with our Secure Customers product, or ask for a demo today.