Passwords themselves aren’t secure – that’s not news. Nor is it important that the use of secondary authentication factors, such as one-time passwords, make it harder for attackers to gain access to accounts through passwords.
But how secure are OTPs? Don’t be lulled into a false sense of security; despite their advantages, they can be used by attackers to gain access to accounts.
The struggle with one-time passwords
By adding a layer of security between attackers and accounts, OTPs offer more protection and are an upgrade from password-only authentication. But they are not a complete solution to the problem.
“Can OTPs be defeated? Yes,” said Merritt Maxim, vice president and research director at Forrester Research. “But they are an additional layer. And, if hackers find a system using only passwords versus one with passwords and OTPs, they are more likely to target the former.”
For a motivated attacker, however, this extra layer is not difficult to defeat compared to other authentication methods, such as biometrics or hardware keys.
The evolution of OTPs
One of the first OTPs to hit the market was a dongle with a random number generator (RNG). It showed the same number as a main device housed in the company’s server room. Unfortunately, these devices were expensive.
A cheaper option, especially as technology advanced, was for companies to exploit the smartphones that everyone already carried around, said Jack Poller, an analyst at Enterprise Strategy Group, a division of TechTarget. OTPs then began to appear in different forms, the most common being access codes sent by SMS, email or phone call.
While their security was not perfect, OTPs allowed companies to overcome a major authentication problem: improving security without negatively impacting UX. Increased security requirements that introduce friction could lead to loss of customers and business.
“We know that some banks deliberately did not MFA implementation [multifactor authentication] because they are more concerned with customer retention than fraud losses,” said Gartner analyst Ant Allan.
The universal use of OTP is hampered, however, because not everyone has access to the same technology. “We still see a need for hardware OTP tokens because not everyone has a suitable smartphone or is ready to use their personal phone for work,” Allan said. “One Eastern European bank only had two-thirds of its customers with smartphones, and only half of them even had data plans.”
In a business setting, however, employers have greater control over employees and can more easily enforce authentication factors, but the issues become cost and employee willingness. What type of OTP technology can a business afford? Purchasing hardware keys for each employee is not cheap. And will employees use their own devices for work? Many may be hesitant to install authenticator apps on their personal devices.
And beyond cost and user experience, there is the challenge of preventing and defending against OTP attacks.
Common OTP Attacks
Attackers can abuse OTPs in several ways, including SMS code theft, SIM card swapping, and email hacking attacks.
SMS Code Capture
The SMS protocol was created when landlines were the norm. At that time, no one anticipated future security issues, Allan said. Due to the “stupid” nature of SMS, companies are limited in their ability to make this method more secure.
Signaling System No. 7 (SS7) was introduced in the 1970s. It allows calls and text messages to pass between telephone networks. The SS7 vulnerabilities gave attackers access to the same information as telcos, including the ability to read text messages.
Attackers can also steal a user’s credentials through phishing and social engineering tactics. Then, using SS7 vulnerabilities, they conduct man-in-the-middle (MitM) attacks to steal or spy on OTP SMS.
SIM card exchange
SIM card swaps involve social engineering to trick phone company employees into porting a customer’s phone number to a new device and SIM card. The attacker collects information from a specific customer to appear convincing when talking to a telephone company. Money can also help facilitate the process.
“The random store clerk who can access the accounts might get paid a few hundred a week by their employer, so an offer of around $500 in cash might be enough,” Poller said.
This attack is still prevalent, Poller added. He recounted a recent experience where a friend fell prey to someone doing a SIM swap so he could empty the friend’s cryptocurrency wallet.
A study from Princeton University found 80% of SIM swapping attacks They succeeded.
Two-factor authentication systems enable text messages or emails for a second factor, which are just as likely to be phished for credentials. A IBM Report 2021 found that 17% of businesses were hacked directly due to email attacks.
If an email account is protected only by a password, attackers can hijack the account using a MitM or social engineering attack and then capture OTPs sent to it. Security is only as strong as the weakest link.
How to improve OTPs
While the danger of OTP attacks is nothing new, businesses are unlikely to abandon OTPs any time soon.
UK Finance wants to depreciate SMS but has admitted there is no suitable alternative, Allan said. In the USA, NIST has suggested deprecating SMS OTP more than five years ago, but they are still used every day.
Until a better option is found, OTPs can be made more secure.
One potential solution is the wider adoption of Timed OTPs (TOTPs). With TOTPs, users have a limited time to enter the passcode before it expires. It’s an extra gain, Maxim said, but it’s an option to add even a little more security, which may be enough to fend off some attackers.
Another option is to use smartphone push notifications instead of text messages to send access codes or approve account access. Push notifications are more secure than SS7-based SMS. A potential downside of this method is push fatigue, where users approve access without thinking about it.
Reverting to previous options, such as the RNG dongle, is another option. Companies could mandate the use of security keys from companies such as Yubico and Feitian, but depending on the number of employees, this option could be costly.
Alternatively, companies could require the use of authenticator apps, use push notifications that require more interaction beyond clicking OK, or capture biometric information.
OTPs don’t go anywhere. “We know that OTPs aren’t watertight – no method is completely secure – but they have cost and usability benefits that factor into business decision-making,” said Allen.
Until a more secure and user-friendly method is adopted, companies should consider making the OTP more secure.