Is OTP secure enough for multifactor authentication?

As a standalone, many forms of OTP can certainly be vulnerable to attack, particularly at the client-end of the authentication process. Advanced forms of malware attack are now advanced enough to implant themselves on both desktop and phone devices (with a couple of hijacked clicks from an unsuspecting user). In this type of situation, it means methods such as SMS OTP tokens can be intercepted and used to gain unwarranted access.

Most organizations still use a traditional username / password combination as their primary authentication factor and then add a second factor such as OTP generated by a hardware (device) or software token. Some organisations (banks in particular) have started to adopt analytics systems, that identify common patterns of user behaviour and flag ‘suspect’ transactions — but this is not foolproof, and can occasionally miss or flag a genuine transaction as suspect — poor user experience that banks can’t afford in an always competitive marketplace. So how can some semblance of security be regained from the transmission of OTP tokens?

Secure the receiving device

Ensure that a PIN (and in an ideal scenario, biometric or other secondary protection) is activated to provide an extra layer of security should the phone fall into the wrong hands. Additionally, Android users have options for anti-virus, amongst them an Android edition of the popular AVG anti-virus suite.

Use a proprietary app over SMS tokens

LastPass, Yahoo and others provide their own free app for generating the OTP token for accessing their service. Additionally, many companies generate tokens through the open source Google Authenticator app. This method makes obtaining the info more difficult than simply having access to the SMS on the phone.

If all else fails — ensure multi-factor authentication is in place

Your best form of attack in any security scenario is ensuring you have the most protection possible. Rather than just adding an OTP layer to your existing user registration, call upon other authentication factors to further bolster your security. There are already examples of apps in the field that allow you to activate a traditional username / password login, a biometric (fingerprint) unlock, AND a OTP generated through their own proprietary app all in one login session. Although we don’t want to completely neglect user experience — there are certainly ample horror stories to think that our best bet is loading the odds in our favour with multi-factor authentication.

Originally published on August 22, 2016.