What is OTP authentication?
One-time password (OTP) authentication relies on a factor that is a password or PIN, sometimes time-sensitive, usually for only one login session or transaction validation. OTP authentication implementations incorporate two-factor authentication by requiring users access to something they have, such as a device like a cellphone, or smartphone.
The use of OTPs has surged once cell phone adoption has become mainstream. The use of OTP in two-factor authentication is probably the most popular 2FA method. OTPs can vary by their implementation being transmitted to users via email, phone number, graphic representation on a smartphone (QR code), or generated by hardware tokens.
The need for better security has paved the way for more sophisticated OTP-generating algorithms and more ways of implementation. If generally, 2FA methods relied on OTP authentication via SMS, the last decade has proven the weaknesses of such communication methods of OTPs. Therefore, most 2FA flows now use other forms of OTP implementations.
This article will highlight three implementation forms of OTP authentication and present a valid alternative or coupling method that provides increased security without harming the user experience:
- What is SMS OTP?
- UX score of SMS OTP authentication: 2/5
- Security of SMS OTP authentication
- What is Email OTP verification?
- UX score of Email OTP authentication: 3/5
- Security of Email OTP authentication
- What is Hardware token OTP authentication?
- UX score of Hardware OTP authentication: 2/5
- Security of Harware OTP authentication
OTP authentication represents the next step forward from single-factor authentication to a more sophisticated method to validate user identities. Most OTP implementations are contributing factors of a 2FA setup, which is usually built from the first factor, a knowledge factor-like password or PIN, and a second factor consisting of a possession factor like a smartcard or specific cellphone.
The methods used to generate OTPs are a considerable factor influencing the security level of the final authentication implementation. Specifically, it’s the means an OTP code is transmitted and its generating algorithm.
OTP generation algorithms are based on pseudorandomness or randomness to create a code that is usually also hashed. The characteristics of the OTP authentication code algorithms vary as they can be based on time-synchronization between the authentication server and the client providing the password, thus being valid only for a short period. OTP codes can also use a mathematical algorithm to be generated and are part of a chain and must be used in a predefined order. Another code-generating algorithm would create a new password based on a challenge like a random number chosen by the authentication server or transaction details.
OTP can also be TOTP (Time-based One-time Password), meaning the generated code can only be used once and is also time-sensitive, thus will have to be imputed in a certain timeframe, usually a maximum of 15 minutes after its generation.
Types of OTP authentication implementations: SMS OTP authentication
What is SMS OTP?
SMS OTP authentication refers to sending one-time passwords via SMS, a common technology used in the past decades. Its popularity is easy to understand. Because text messaging is a universal communication channel that is available on nearly all mobile devices. The popularity is also given by the text-to-speech conversion, a function welcomed by visually impaired users. Also, the low total cost to implement is a determining factor for its massive adoption and today more than 60% of users worldwide use SMS OTP authentication to log into their favorite services.
UX score of SMS OTP authentication: 2/5
From a user experience perspective, SMS OTP authentication falls short more than any authentication method that is not in-band. This translates into a set of actions users have to perform before authenticating: find their phone, wait for the SMS to arrive, and then manually type the one-time passcode into their computer — and do it all before the time-sensitive SMS OTP expires. Switching devices and manually introducing codes creates a burdensome user experience and can lead to increased churn rates.
Security of SMS OTP authentication
Although the most popular OTP authentication method, SMS OTP is also one of the least secure as more and more reports have shown how easily SMS OTPs can be hacked or compromised. Some OTP over text messaging may be encrypted using an A5/x standard. The security protocol A5/1 is a stream cipher, and leaks and reverse engineering have shown several critical weaknesses.
Also, SMS OTP authentication is vulnerable to many attacks like:
SIM hacking (malicious actors can spoof cell phone tower signals and SS7 systems and access information contained in private messages),
Synced devices (synced devices allow access from multiple smartphones, laptops, tablets, and wearables),
Social engineering attacks (attempts to convince targets to unknowingly hand over their personal information and passwords—including SMS codes).
In July 2016, the U.S. NIST issued a draft of a special publication with guidance on authentication practices discouraging the use of SMS as a method of implementing out-of-band two-factor authentication. SMS OTP authentication should therefore be one of the other multiple factors to be used and never the only additional factor in any circumstances.
Types of OTP authentication implementations: Email OTP authentication
What is Email OTP verification?
Email OTP authentication refers to sending one-time passwords via email address, making such authentication a 2FA method. The second factor consists of a valid email address (a possession factor) associated with the login. Instead of transmitting the OTP via text messages, users will check their email address and then input the code in the login field or transaction validation form.
UX score of Email OTP authentication: 3/5
Email OTP authentication is an out-band authentication method that requires users to leave their browsing session on logins or transaction validation to navigate to their email account and check for the sent OTP. The code then needs to be inputted in the authentication session, which makes the user experience burdensome. Some OTPs are also time-sensitive and must be inputted in a preset timeframe. Failing to do so will require a new login attempt. Also, this method requires an internet connection.
Security of Email OTP authentication
Unfortunately, this method is one of the least secure due to the sensitive information contained in most email accounts. If an intruder hacks into an email inbox, they’ll potentially compromise all other accounts associated with it, including those using email OTP for identity verification. Privacy is at risk too; once a login session is stored on a device, other users can access the email content and successfully change passwords. In this case, the second factor in a 2FA flow is weaker than expected, creating only a false sense of security.
Types of OTP authentication implementations: Hardware token OTP authentication
What is Hardware token OTP authentication?
Hash-based Message Authentication Code (HMAC) or HMAC-based OTP authentication is a code generating algorithm used by hardware tokens to provide codes for identity verification. The generated code will be active only until the subsequent authentication request, while the code generator and the server must be synced to validate the code.
UX score of Hardware tokens OTP authentication: 2/5
The method has some serious downsides from a UX perspective, like the lack of adoption outside the desktop environment (most hardware tokens are connected via USB) or the high costs associated with every device, sometimes reaching even $50 USD for each token. Also, like all tokens, these may be lost, damaged, or stolen.
Users’ age plays a role too when deciding to deploy such an authentication method. A qualitative study found that FIDO certified USB password keys implementation was a poor match for older adults. It did not cater to their existing technology, and it failed to address their needs or motivate the use from a security perspective. Elderly users will prefer other authentication methods since most have renounced using a desktop and switched to tablets with no USB support. This makes the hardware OTP authentication devices an option for enterprises, but the most unpopular authentication method among the elderly or consumer-based products, due to the prohibitively high costs.
Security of Hardware tokens OTP authentication
The method is highly secure and often complies with FIDO protocols for standard-essential cryptography techniques to provide stronger authentication.
How to improve OTP authentication with typing biometrics
As shown above, most OTP authentication implementations have their security or UX shortcomings. Combining these factors with an inherent authentication factor such as typing biometrics results in stealth security coupled with ease of use.
The innovative, AI-based solution named TypingDNA Verify 2FA relies on OTP authentication only as a fallback method in a root of trust system.
TypingDNA Verify 2FA works by prompting users to type four words chosen explicitly by our AI engine to enable higher matching accuracy on much shorter texts. The four words are of high complexity regarding the number of different characters, the way they are dispersed throughout the keyboard layout, the vertical and horizontal travel, so we can understand the unique typing pattern.
After typing the four words, the typing patterns are matched to authenticate users in your desired application.
Combining TypingDNA Verify 2FA with other OTP authentication methods as fallback alternatives provides increased security and a great user experience. The UX component in this implementation is related to the in-band authentication — meaning a user will not switch devices or even browser sessions to log into their favorite applications. This represents a step forward towards a better user experience and a streamlined user journey.