Viewpoint: One-Time Passwords Aren’t Going Away
By Al Pascual, Javelin
Last week’s announcement from the National Institute of Standards and Technology (NIST) that SMS one-time-passwords (OTP) were worthless as a form of out-of-band (OOB) authentication put the industry in a tizzy. Funny thing was that NIST did hedge a bit in its language, but it seemed that the agency was relegating SMS OTP to the junk pile.
Although NIST has since clarified the statement further in a blog of its own (“2FA is better than no 2FA, and SMS OTP isn’t prohibited”), there are questions as to what it all means for financial service providers as NIST guidance is closely followed by the industry and especially by forward-looking institutions.
There’s understandably some concern among our clients about existing investments and what a change would mean for customer experience. That’s because consumers in general have just started to become accustomed to SMS OTP. And you can bet that authentication vendors in the biometrics space were raising their glasses after the announcement, but they should put the glasses down. My position is that while I agree with NIST’s assessment that SMS OTP is problematic, SMS OTP isn’t going away.
Why? Three reasons:
- On its own, SMS OTP still has value for low risk transactions
- It can be bolstered to mitigate shortcomings
- It is so broadly integrated across the industry. It’s not quite like passwords, but you don’t sunset something like this overnight.
Financial institutions should continue to consider a risk-weighted approach to authentication. Lower risk activities are safe in the near term, but any doubts around the suitability of standalone SMS OTP for use in higher risk transactions should be settled—banking Trojans and phone forwarding have long been effective in intercepting these messages. Supplemental forms of security can raise the level of assurance provided by SMS OTP—such as verifying the status of the receiving device or utilizing anti-malware to detect infected browsers where the OTP is to be entered.
Will SMS OTP enjoy the same zombie-like status as “memorized secrets” (i.e., passwords, an approach that won’t die, despite already being dead)? No, because it isn’t dead (not even half dead for all you Billy Crystal fans). So if you use or are considering SMS OTP for out of band authentication, my suggestion would be to stay calm and assess the situation. Examine the use cases, the inherent levels of risk, and how supplementing SMS OTP with other solutions affects the underlying ROI.
Al Pascual works as research director and head of fraud & security, for Javelin Strategy & Research. He conducts in-depth research on the security of financial transactions and the integrity of consumer identities. He also explores the applicability of biometrics in banking and payments, the effect of data breaches and identity fraud on the integrity of consumer identities, and how to best secure payment data and transactions. He began his career with HSBC, where he performed due diligence investigations of high risk mortgage loans. He can be reached via [email protected].
In Viewpoints, payments professionals share their perspectives on the industry. Paybefore presents many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.
