You are currently viewing Is SMS OTP authentication as safe as we believe?

Is SMS OTP authentication as safe as we believe?


All of us who use banking or e-commerce applications are familiar with the authentication grind – enter your username and password and as additional security, enter the OTP sent to your registered phone number.

Though we find it cumbersome and even downright annoying, especially when the phone is not by your side or has run out of charge, still, we go with the process simply because we believe it is necessary to protect our data and credentials.

But is the SMS OTP authentication as safe as we believe?

Before we jump into the answer, let’s quickly look at the evolution of the practice of sending SMS OTPs to get an understanding of its advantages.

Evolution of SMS OTP

With the growth of Internet applications and the availability of advanced tools for hackers, security became a concern, and the existing security mechanism of just a password became insufficient.  So, a two-factor authentication became a preferred option as the identity of a user was verified at two levels.

The first was the good old password, and this was followed by a code sent to a registered email ID or phone number. Since no downloads or physical tokens were required, this quickly became the de-facto way of authenticating users.

But only until the downside was understood.

Is SMS OTP safe?

Though SMS OTP is touted to be safe and convenient, in reality, it is neither.

And why?

Phones can get stolen

The most obvious reason is that your phone can be stolen, so your OTP can fall into the wrong hands.

Now, you might think it is a far-fetched option to lose your phone and to have someone use your OTP to access an application, still, this is a possibility, and that’s a good enough reason to look beyond OTPs for secure access.

SMS can be hacked

Don’t be shocked at the heading! It is true.

There have been many instances where the SMS codes have been hacked by leveraging the loopholes present in the telecom providers’ network.

Take the case of a massive hack that happened in 2017. Fraudsters leveraged a loophole in Signaling System 7 (SS7), an internal telecommunications standard that defines how mobile phones must connect and exchange a number with each other.  As a result, they intercepted the codes associated with the banking transactions of users to transfer funds to their own accounts.

When this came to light, it caused a big uproar, but the practice of using SMS OTPs continued for a lack of other viable options.

Greater acceptance for non-OTP options

Almost every major organization today is listening to the millennials, as they are the future users of existing systems.

According to a survey conducted by Aite Group, more than 48% of millennials were open to the idea of switching authentication modes. In comparison, only 16% of seniors were open to this possibility.

This goes to show that the next generation of users are more willing to explore authentication methods that go beyond just passwords and SMS codes. In fact, 85% of the respondents in this age group were open to fingerprints while 76% were willing to go with facial recognition.

Since biometrics have a wider acceptance, many solutions have started embracing it, to not just meets the users’ preferences, but also to improve the level of security and authentication.

What is SAWO?

Secure Authentication Without OTP (SAWO) is the next-gen authentication system that moves away from passwords and OTPs, and at the same time, securely authenticates users.

With SAWO, all that users have to do is enter their username and the associated email ID or phone number. That’s it! No passwords and no OTPs at all. The system will trigger the phone lock and based on it, will automatically authenticate the user against the registered phone number or email ID to verify the credentials, and will accordingly, provide access.

The best part is that SAWO stores no passwords, so there is no chance for hackers to access them. From an organization’s standpoint, there are no hassles involved, and it is cost-effective as well because there is no dependence or financial payouts to third-party providers like cellular operators.

For users, it is a safe and easy way to log in without having to remember complicated mashed-up passwords or waiting for the SMS code on their phones.

In all, a win-win situation for everyone involved.

So, reach out to us right away to get started!





Source link

Leave a Reply