Over the last few weeks, we have focused on authentication progressing through an overview of Multi-Factor Authentication (MFA), the most used type of MFA – one-time password (OTP), and today we will review some of the most common delivery methods for OTPs (One-time passwords).
Regardless of which One-Time Password (OTP) authentication method you use, choosing an OTP generator like an authenticator app or key fob is a safer way to use MFA/OTP than, say, SMS texting. Cyber criminals have found ways to intercept SMS codes, whether it’s SIM card fraud, accessing an iCloud or Google account tied to your messaging, or by sending you an infected link allowing them to take control of your phone remotely and view your messages directly on your device. While SMS-based MFA might be better than no MFA at all, it is a lot less secure than using a hardware/physical key code generator like a key fob (which we reviewed in our last blog) or having an authenticator app on your mobile device.
Hardware, or a physical key, is something you can hold. These devices generate OTPs based on a cryptographic key stored inside. The same cryptographic key is also held by a server. These devices synchronize with one another using a secret key/seed value allowing them to generate the same OTP and verify the value entered by the user matches that of the server.
The user interfaces (UIs) for hardware/physical keys can vary. For example, a device with a keypad that requires a PIN to be entered by the user before the OTP is displayed, a physical token that presents a one-time password with a time step on a built-in screen, or a device (sometimes called a dongle) inserted into the USB port of a computer to access information. Hardware/physical keys are considered one of the most secure methods of MFA.
SMS/Text OTP requires a mobile device, or a device where you can access your text message (this could be a laptop with your text messages accessible through the cloud. Once a user enters their username and password, an SMS message is automatically sent to their phone number with a unique authentication code. The user will input the code to verify the authorization, and only then is access granted.
Most people are comfortable with having an authentication code sent to them via SMS now-a-days because our banks, streaming services, and shopping accounts like Amazon use SMS verification. This means there is no learning curve for most. Hence, SMS is one of the most popular methods for receiving an MFA code.
SMS authentication is not without its flaws, but it is one of the more popular solutions for a few reasons: it’s affordable, works most of the time and is easy to implement.
Email OTP follows the same process as SMS/text authentication, but the code is sent to an email address instead of a phone number. It’s widely considered the least secure form OTP because an email address is not tied to a specific device like a phone number or hard token.
Email OTP makes it easy to compromise many accounts at once when an email address has been compromised. Additionally, because this form of OTP does not require a secure internet connection, and since email systems are the main target of bad actors, we would recommend using a different form of OTP that is not based solely on email access.
OTPs are generated and accessible directly on a user’s device such as a smartphone like Duo Authenticator, Okta Authenticator, 2FA (2 Factor Authentication), Google Authenticator, or Microsoft Authenticator. These OTPs are not transmitted to the device through networks like the Internet or the Global System for Mobile Communications (GSM). Today, smartphones are used in many of our everyday business operations. This makes using a mobile authenticator app a quite simple and easy solution.
Integrating OTPs using a mobile authentication delivery method is not easy. DevOps must delegate resources to develop and manage these authentication apps, and your users must adopt a new process which could cause headaches for systems administrators. However, authentication applications are considered best practice for MFA to protect sensitive data.
Each of the methods described in this blog are more secure than utilizing only a username and password. There are unique advantages and drawbacks to each OTP delivery method, and we would recommend some more than others. While security is the primary consideration when choosing an OTP delivery method, the user experience and overall implementation costs should also be evaluated.
FTP Today offers various authentication methods and security features to fit your business needs. We offer flexibility like having different methods of OTP for different users. FTP Today provides your organization with the tools to build a strong file transfer authentication policy. Our platform is designed with security and compliance in mind for businesses of all sizes. Learn more about our different plans and features such as MFA, unlimited users, dedicated servers, automation rules, activity logs, consistent security controls, SSO integration, and more.
Contact us to learn how FTP Today can deliver an affordable, effective solution for storing and sharing sensitive information for your organization.
Learner, Researcher, Customer-focused, and the Chief Revenue Officer & VP of Sales for FTP Today. Brendon has successfully navigated multiple industries and has infrastructure certifications in GCP and AWS. He started his career in Oil & Gas business development and successfully transitioned to Rackspace as a Mid to...