Why OTPs shouldn't be part of a passwordless strategy
A one time password (OTP) is a password that lasts for just a short time - but it's still a password
Passwordless authentication has been gaining traction, and the main reason is the lack of security that passwords offer today, as passwords are reused and stolen, more and more frequently. The second reason is that passwords have to be increasingly complex, which degrades the user experience. Security and user experience are among the top priorities of any digital company and usually are in direct conflict. Hence the interest in passwordless authentication, with its promises to offer more security and a better user experience at the same time.
What is the definition of passwordless authentication?
Passwordless authentication is the verification of a user's identity by a method that does not require a password. It is a very loose definition and it is important to make a clear distinction between the different methods used to deliver passwordless authentication. Some are more secure and some provide a better user experience. One authentication method that is classified under passwordless authentication but should not be, is the use of one-time passwords (OTPs).
A one-time password is a password that is valid for a single session and usually expires in a few minutes. So by definition, an OTP is a password! The only difference is that users don't need to remember or store it, they just receive it on their preferred channel such as email or SMS. But this is far from being the most important issue with OTPs.
While OTPs are dynamic and constantly changing, making them preferable to static credentials, the main security issue with OTPs is that they can be easily phished or intercepted. For example, SMS can be intercepted at scale, and a phone number also can be compromised with a SIM swap attack. A more relevant security issue is that social engineering attacks and phishing fool users into giving away their one-time passwords to fraudsters that pose as customer support representatives.
In addition to security concerns, another major problem with OTPs is that they create too much friction for the user, impacting the user experience. Arguably, OTPs add more friction than normal passwords. This added friction ends up leading to customer drop-off and lower retention rates.
What are the authentication alternatives to OTP?
Finding a good alternative to OTP is no easy task, but the good news is that there is a lot of innovation in the security industry. In recent years, new technologies have been developed to address the UX vs. security dilemma. An example is device fingerprinting technology that can silently recognize devices based on their unique attributes and determine if they should be trusted. Most apps and websites already employ this technology. More recently, another type of passive authentication was introduced, called behavioral biometrics. Behavioral biometrics identifies authorized users based on their gestures with the mouse or touchscreen, how they type, and how they hold their phone.
Finally, with the growing relevance of mobile as the main online channel, location intelligence has started being leveraged to identify when the user is accessing or transacting from a trusted location. In a recent study conducted by Incognia, it was found that 90% of the legitimate logins and 95% of the legitimate high-risk transactions occur at a trusted location, which is a place that is part of the user’s routine such as their home, office or favorite restaurant.
There is no silver bullet in the security space, so developers should go for a layered approach. Ideally, Apps would leverage passive authentication for low-risk scenarios and introduce the friction of multi-factor authentication (MFA) only when high-risk is identified. In this way, Apps can provide a frictionless authentication experience to the vast majority of legitimate customers but keep the fraudsters away.
OTPs should not be treated as a passwordless solution