In the world of password security, there is no system more widely used or more misunderstood than the one-time passcode system (OTP). For those who are unfamiliar, it’s the text message you get when you try to log into your bank account or email account or other personal accounts online. OTP usually goes hand in hand with two-factor authentication systems, which require an extra step beyond just entering your username and password to access your accounts.
The problem with traditional OTP systems
The one time passcode system has been widely used because it’s easy to use, convenient and secure. When you log in or change your password, you get a new code that’s good for only one use. No matter how many times it’s been used, there will never be a single instance of two people having the same OTP.
The problem with this type of system is that if an attacker has access to your phone (and knows how to take screenshots), they can easily capture your codes and use them as many times as they want. The attacker can then log in to your accounts whenever they want and even change your passwords!
What’s next in multifactor authentication?
When you think about it, multifactor authentication is really just one step removed from a password. It’s something you know and something you have. The thing is, we are running out of things to put in that have column. There are some promising options on the horizon, but for now we’re stuck with what we have. A lot of people find passwords tedious to remember and enter all day long, which means they often reuse them.
The problem with that approach is that if your password gets leaked (or hacked), not only do you lose your account credentials, but also any accounts associated with that same login information. Multifactor authentication mitigates this risk by requiring an additional code or device before granting access. The use of hardware tokens makes this process even more secure because it requires both the possession of a token as well as knowledge of a PIN or passphrase before gaining entry into an account or network service.
Adaptive Authentication – Device, User, Context
Adaptive Authentication is an increasingly popular alternative to other methods of authentication. It uses multiple factors from a variety of devices and contexts, which are combined to verify that you are who you say you are. This means that every time your identity needs to be verified, there’s a new set of questions for you to answer. Adaptive Authentication is a great option for those with disabilities or sensitive jobs, because it doesn’t require memorizing anything — including what device to use when logging in or how many times you need to enter your password. In addition, Adaptive Authentication can help reduce fraud by using different pieces of information as proof instead of relying on just one (like a passcode).
Time-Based One Time Passwords (TOTP)
A time-based one time password system is one of many forms of two factor authentication. TOTP works by assigning a password to an individual and then asking for a code generated by an app on their phone. When logging in, users enter their username and password as usual but are then shown a QR code that they scan with the mobile application. The user types in the six digit code into the field and they are logged in. It is important to note that this method relies on being able to access your smartphone at any given point so it can be limiting in some situations (ie. work). If you were not able to get your hands on your phone or if it died, you would not be able to login until you had access again.
While a one time code may seem like a good solution for security, it’s not always the best. Using a token or key means that you don’t have to worry about tracking down your phone when you need to login again. Plus, it’s more secure than one time codes because if someone steals your key or token, they won’t be able to get into your account unless they know your username and password too.