Will this new OTP system make internet safer?

Updated on 14-Feb-2025
By
Aaruni Kaushik

India is a country obsessed with security. We check both ways while crossing a one-way street. We double-check our locks and bolt our windows. We even have locks on our fridges. As part of this, we are also a country obsessed with One-Time Passwords (OTPs). OTPs are an easy way of adding a second layer of protection to our daily digital tasks. Whether making a bank transaction or logging into a service, you cannot proceed without entering the secret code sent to you via SMS in addition to your regular password. But are these OTPs as secure as we think?

Multi-Factor Authentication

Multi-factor authentication (MFA) uses multiple factors to establish identity instead of relying on just one, as in classical authentication.

Examples of factors include:

  • Something you know (e.g., a password).
  • Something you have (e.g., a phone).
  • Something you are (e.g., biometrics).
  • Somewhere you are (e.g., GPS coordinates).

For most daily activities, two-factor authentication (2FA) is sufficient. SMS OTPs are a type of 2FA.

Problems with SMS OTPs

SMS OTPs aim to validate “something you have” (your phone), but they have several drawbacks:

  • SMS delivery is not guaranteed and may arrive late or not at all.
  • SMS can be intercepted, compromising security.
  • Network disruptions may prevent OTPs from being sent.

Additionally, depending on SMS OTPs requires a functioning external network.

What About Biometrics?

Biometric authentication validates “something you are,” like a fingerprint or facial scan. While seemingly secure, it has limitations:

  • Biometric data can be stolen (e.g., fingerprints, facial images).
  • Server breaches can expose biometric data en masse.
  • Once compromised, biometric data cannot be replaced (you cannot change your face or fingerprints).

Thus, biometric authentication is not ideal for widespread 2FA.

Time-Based One-Time Passwords (TOTPs)

TOTPs validate “something you have,” such as a TOTP generator. Features include:

  • A 6-digit number refreshed every 30 seconds.
  • Offline generation of codes on any number of devices.
  • Guaranteed security as long as the pre-shared key remains secret.

How Do TOTPs Work?

TOTPs use the current time and a pre-shared secret (seed) to generate a one-time password. They do not require a network connection.

Workflow Example:

  1. Download a trusted 2FA app.
  2. Scan a QR code provided by your service to set up the seed.
  3. The app generates a code every 30 seconds.
  4. Enter the displayed code for authentication instead of waiting for an SMS.

The Bottom Line

TOTPs are a modern, secure, and reliable solution for 2FA, used by organizations like GitHub, Stripe, Yahoo, and UK Government Services. They are easy to implement, refresh, and secure against breaches.

The article advocates for TOTPs as the preferred method of 2FA for critical systems.

This article was written by Aaruni Kaushik.

Latest Article

Aaruni Kaushik

Connect On :
By
Aaruni Kaushik
14-Feb-2025