Understanding One-Time Password (OTP) Authentication Options

Over the last few weeks, we have focused on authentication progressing through an overview of Multi-Factor Authentication (MFA), the most used type of MFA – one-time password (OTP), and today we will review some of the most common delivery methods for OTPs (One-time passwords).

Regardless of which One-Time Password (OTP) authentication method you use, choosing an OTP generator like an authenticator app or key fob is a safer way to use MFA/OTP than, say, SMS texting. Cyber criminals have found ways to intercept SMS codes, whether it’s SIM card fraud, accessing an iCloud or Google account tied to your messaging, or by sending you an infected link allowing them to take control of your phone remotely and view your messages directly on your device. While SMS-based MFA might be better than no MFA at all, it is a lot less secure than using a hardware/physical key code generator like a key fob (which we reviewed in our last blog) or having an authenticator app on your mobile device.

Hardware/Physical Key

Hardware, or a physical key, is something you can hold. These devices generate OTPs based on a cryptographic key stored inside. The same cryptographic key is also held by a server. These devices synchronize with one another using a secret key/seed value allowing them to generate the same OTP and verify the value entered by the user matches that of the server.

The user interfaces (UIs) for hardware/physical keys can vary. For example, a device with a keypad that requires a PIN to be entered by the user before the OTP is displayed, a physical token that presents a one-time password with a time step on a built-in screen, or a device (sometimes called a dongle) inserted into the USB port of a computer to access information. Hardware/physical keys are considered one of the most secure methods of MFA.

Advantages

• It is difficult to remotely breach hard token-based security systems because they do not require an internet connection to work.
• Hardware tokens minimize the attack surface. Cyber criminals typically need physical access to the hard token to hack it. This is much less likely than a cyberattack using an internet connection.
• Self-Powered (so no issues if the battery on your mobile device fails)
• Durability (Typically, these devices will survive quite a bit of punishment)

Disadvantages

• They are high maintenance and require staff to handle deployment, replacement costs, and support questions.
• Hardware tokens are small and can be lost/stolen more easily. If a hard token falls into the wrong hands this can lead to a larger security issue for your organization.
• Since most users have a single hard token that allows them access to multiple systems, a missing hardware token could keep them from performing job functions until a replacement is provided.

SMS/Text

SMS/Text OTP requires a mobile device, or a device where you can access your text message (this could be a laptop with your text messages accessible through the cloud. Once a user enters their username and password, an SMS message is automatically sent to their phone number with a unique authentication code. The user will input the code to verify the authorization, and only then is access granted.

Most people are comfortable with having an authentication code sent to them via SMS now-a-days because our banks, streaming services, and shopping accounts like Amazon use SMS verification. This means there is no learning curve for most. Hence, SMS is one of the most popular methods for receiving an MFA code.

Advantages

• SMS is user friendly because it does not require any hardware or applications to configure. It is highly likely that a user has a device to receive text messages and a “smart” phone is not required – making SMS authentication more user friendly.
• SMS implementation is quick and simple. IT managers can use an SMS API to send these transactional text messages.

Disadvantages

• SMS codes can be intercepted by cyber criminals through various methods like SIM swapping, spy apps, and trojan horse links.
• Requires a reliable cell phone signal and battery life.
• May result in occasional SMS delivery failures which might affect an employee’s ability to complete job functions, and might create frustration.
• Although rare, these 3rd Party Messaging providers often incur a per text charge, and if an employee is receiving the text messages while out of the country, the international charge could be significant depending on where they are in the world.

SMS authentication is not without its flaws, but it is one of the more popular solutions for a few reasons: it’s affordable, works most of the time and is easy to implement.

Email

Email OTP follows the same process as SMS/text authentication, but the code is sent to an email address instead of a phone number. It’s widely considered the least secure form OTP because an email address is not tied to a specific device like a phone number or hard token.

Advantages

• It is likely that most users already have their email open on one or more devices, so it is extremely convenient and easy to use.
• Email authentication is cost effective because it leverages the users’ existing email account and nothing else is required for the user.
• If you are not using time step based (TOTP), then there is no risk of OTP timeouts.

Disadvantages

• A password can usually be reset from an email account making it far less secure than other OTP methods.
• An internet connection is required to access email, and if the connection is unavailable, then code cannot be received and used.
• Email accounts are the biggest target of bad actors and over 90% of cyberattacks infiltrate an organization via email.

Email OTP makes it easy to compromise many accounts at once when an email address has been compromised. Additionally, because this form of OTP does not require a secure internet connection, and since email systems are the main target of bad actors, we would recommend using a different form of OTP that is not based solely on email access.

Applications

OTPs are generated and accessible directly on a user’s device such as a smartphone like Duo Authenticator, Okta Authenticator, 2FA (2 Factor Authentication), Google Authenticator, or Microsoft Authenticator. These OTPs are not transmitted to the device through networks like the Internet or the Global System for Mobile Communications (GSM). Today, smartphones are used in many of our everyday business operations. This makes using a mobile authenticator app a quite simple and easy solution.

Advantages

• Authenticator apps are low cost in comparison to hardware tokens.
• OTP applications are easy to use and accessible to employees who always carry a phone with them.
• Some authentication apps provide two authentication options: receive a notification that the account is attempting to be accessed and approve or decline the verification or you can open the app and use the verification code that changes based on a timeframe.
• With an enterprise solution, an administrator can manage users and access directly from an administrator interface.

Disadvantages

• System administrators are not able to batch-import app authentication codes.
• Your organization is asking your IT team to take on additional administration and security related tasks they might not have time for.
• Cell phones get lost or stolen all the time, and the device might be the last item a bad actor needs to gain access (or control) of data held in your systems.

Integrating OTPs using a mobile authentication delivery method is not easy. DevOps must delegate resources to develop and manage these authentication apps, and your users must adopt a new process which could cause headaches for systems administrators. However, authentication applications are considered best practice for MFA to protect sensitive data.

Are Your Files Being Transferred Securely?

Each of the methods described in this blog are more secure than utilizing only a username and password. There are unique advantages and drawbacks to each OTP delivery method, and we would recommend some more than others. While security is the primary consideration when choosing an OTP delivery method, the user experience and overall implementation costs should also be evaluated. There are also other essential control features to consider for secure file sharing.

Sharetru offers various authentication methods and security features to fit your business needs. We offer flexibility like having different methods of OTP for different users. Sharetru provides your organization with the tools to build a strong file transfer authentication policy. Our platform is designed with security and compliance in mind for businesses of all sizes. Learn more about our different plans and features such as MFA, unlimited users, dedicated servers, automation rules, activity logs, consistent security controls, SSO integration, and more.