One-Time Passcodes for Two-Factor Mobile Authentication: A Fast or Slow Death?

It started with credit cards. Then came debit cards, online bill payment, and most recently, apps like PayPal and Venmo. Over the years, these payment advances have made the common paper check virtually unnecessary. Check writing peaked in 1995 (coincidentally, so did the Macarena), but by the end of that same decade the sentiment was, “checks are dead.”

Yes, check usage has decreased dramatically (the number of check processing centers has gone from 18 to 1), but checks aren’t dead yet. They’ve simply taken a backseat to new payment methods that are safer and more convenient. Perhaps the same can be said for one-time mobile passcodes; even though they’re no longer the safest and certainly not the most frictionless option for two-factor authentication and password resets, they probably won’t disappear any time soon.

A one-time passcode or password (OTP) is a code that is valid for only one login session or transaction. An OTP is typically sent via SMS to a mobile phone, and they are frequently used as part of two-factor authentication (2FA). Businesses rely on one-time passcodes despite security issues, though most fraud from SMS OTP occurs in other global markets and not domestically. These vulnerabilities came to light recently when hackers intercepted and re-routed one-time passcodes sent by a German bank to its consumer’s mobile phones as part of its two-factor authentication process. Recent statements by the National Institute of Standards and Technology (NIST) have even warned businesses against using OTP, in part because it’s becoming easier to intercept SMS.

Like checks, the decline of one-time passcodes is inevitable. As threats, like the attack on the German bank, make their way to the U.S., businesses will adopt newer, faster, and more secure methods for authentication – like our Secure One-Time Verify solution. This solution replaces one-time passcodes with a one-time secure link, which is more convenient for consumers and safer for businesses. Through our access to real-time mobile carrier data, One Time Verify automates the work of passwords, verifies a user’s mobile device, and neutralizes the threat of SMS interception. Transactions are secure and customers can access their accounts quickly and easily.

Click here to learn more about Secure One-Time Verify and the rest of IDology’s Integrated Digital Authentication Solutions