One time passwords (OTPs) are a popular choice for organizations looking to step up their security with two-factor authentication (2FA). These randomly generated passwords are only valid for a single login session and overcome many of the vulnerabilities of traditional passwords.
There are multiple delivery methods for OTPs—each with its own advantages. Organizations looking into OTP authentication options need to explore and understand which delivery method best meets their needs.
We recently took a closer look at the benefits and drawbacks of OTP soft token and hard token delivery methods. This post focuses on on-demand delivery methods for OTPs, specifically short message service (SMS) and email. While on-demand OTPs are commonly used for first-time user logins and password resets, a large number of companies—especially in the financial industry—use SMS and email OTPs as an extra user verification step.
How On-Demand Tokens Work
The process begins with a user first logging in to a system with his or her username. This triggers an on-demand OTP to be sent to the user’s mobile phone number or email address, depending on which delivery method the organization has in place.
The user retrieves the OTP and enters it into the prompt to verify the user’s identity and gain access. Unlike hard and soft OTPs, on-demand OTPs are often event-based rather than time-based, meaning they are not time-sensitive. However, as with other OTP delivery methods, on-demand OTPs are not reusable and expire after being used.
Benefits of On-Demand OTP Delivery
Ease of Use
On-demand OTP delivery methods are easy to use and convenient because users don’t have to download and configure a separate app, as with soft token OTPs and push notifications; remember anything, as with traditional password; or carry a separate card, key fob, or USB, as with many other authentication methods.
With on-demand delivery, OTPs are sent in real time, and the user typically waits just a few moments to receive them. Many people already have their email open on their computer or their mobile devices readily at hand, so accessing email and SMS OTPs is highly convenient. Furthermore, SMS messages can be delivered on mobile devices that aren’t smartphones, unlike other mobile-based authentication methods.
By leveraging a user’s existing mobile phone or email account, on-demand OTP delivery methods offer significant cost savings over hard token options, which require separate hardware purchases and shipping costs.
Ease of Administration
Implementation of on-demand OTP delivery methods is relatively simple for organizations. For example, with SMS delivery, companies often leverage telephone carriers’ existing SMTP-to-SMS gateways, and for users, there is no setup involved—they simply request a code at login. Because administration is so easy, SMS and email OTPs are often used as a means of granting short-term access when deploying physical tokens or when having a user download an authenticator app is undesirable or too much of a hassle.
More Secure than Traditional Passwords
OTPs overcome many shortcomings of traditional passwords because they are not reusable and, therefore, are not vulnerable to replay attacks, in which valid usernames and passwords are captured in network traffic and used to fool a system into granting access by replaying the request. For this reason, it’s more secure to use an OTP in public computer settings, such as a console in a hotel business center or public Wi-Fi at an airport, where users run the risk of having their traditional passwords stolen by keyloggers.
Mobile devices and email accounts also have separate built-in authentication methods to prevent unauthorized access, including FaceID, TouchID, and login credentials, which provide an added layer of security. Additionally, because OTP delivery is in real time, unexpected OTP messages can alert users of hacking attempts, allowing them to investigate and take necessary action before it’s too late.
No Shared Secret to Crack
Hard tokens and mobile authenticator apps depend on a shared secret with the server that is combined with the current time to generate an OTP, but attackers can crack the authenticator app or servers to uncover the shared secret, making it possible to clone your OTP codes indefinitely. On-demand OTPs, however, are just random values sent by the server, so there’s no shared secret to be exploited.
Drawbacks of On-Demand OTP Delivery
Not Recommended by NIST
In July 2016, the U.S. National Institute of Standards and Technology (NIST) announced that OTPs should no longer be sent to mobile phones via SMS message because the OTPs can be stolen too easily. NIST also warned that the ability to receive email messages or other types of instant messages “does not generally prove the possession of a specific device,” so they should not be used as out-of-band authentication methods either. NIST instead recommends that organizations use more secure authentication methods, such as push notifications, soft OTPs, and FIDO U2F tokens.
Increased Attack Surface
Many systems are involved in the delivery of an SMS or email—each with its own vulnerabilities. First, there are the internet protocols, wireless networks, and email service providers that deliver the OTPs, and then there are the various third parties that messages can be relayed through (SMS middleware, telephone companies, mobile OS companies, VOIP companies, internet service providers, app authors, and so on). Finally, the OTPs can be delivered to multiple devices (phone, computer, smartwatch, tablet, and so forth) and accessed and read by multiple apps on each device. The more links in the chain, the more points of weakness there are to exploit.
Additionally, although on-demand OTPs may appear to be 2FA, where the OTP is the “something you know” and the mobile device is the “something you have,” this isn’t necessarily the case. With email and SMS delivery methods, the “something you have” is really “something sent to you.” Many phone numbers today are not tied to a phone at all, such as those used through Google Voice. Other apps, such as Google Messenger and Hangouts, have access to a phone’s SMS inbox. If hackers gain access to these apps, they can also remotely access and steal a user’s 2FA codes. Furthermore, the phone number that the user used for registration might now belong to someone else or could even be hijacked by a hacker.
Can Be Spoofed
On-demand delivery methods are susceptible to spoofing, a phishing technique that hackers use to trick users into giving them account information or codes by pretending to be a legitimate source. An attacker simply visits the login page and requests a “reset password” 2FA code be sent. Then, the attacker sends the victim an SMS message or email that appears to be from a legitimate source and says something along the lines of: “Suspicious activity has been detected on your account. Respond with the code you received in order to prevent unauthorized access.” If the victim forwards the code, the attacker is able to gain easy access to the account.
Phone Accounts Can Be Hijacked
Phone accounts can be hijacked in what’s known as a SIM card swap attack. This is when hackers with some knowledge of their victims, such as the last four digits of their Social Security number, call the victim’s phone carrier and have the victim's phone number moved to a new device that’s in the hacker’s possession, so that the OTPs can be intercepted. In one recent case, a hacker used publicly available information to persuade AT&T to reassign the victim’s phone number, then accessed the victim’s PayPal account using SMS 2FA.
Codes Can Be Intercepted
Hackers can exploit vulnerabilities in Signaling System No. 7 (SS7), an international telecommunications standard that facilitates SMS delivery—this isn’t as difficult or expensive as one might think. Attackers can gain access to the SS7 network for as little as $500 a month. This occurred in 2017 when attackers exploited this vulnerability to intercept SMS messages with OTP codes tied to victims’ bank accounts.
Codes Are Sent in Plain Text
SMS and email messages are sent in plain text, meaning anyone who manages to intercept or get access to them can clearly read the OTP.
Can Be Viewed Without Authorization
Many smartphone users enable text notifications to be visible when their devices are locked, so an SMS code could potentially be read by simply glancing over a user’s shoulder without the user’s knowledge.
Mobile and Messaging Shortcomings
Leveraging mobile phones for OTP delivery presents shortcomings related to the devices themselves, including battery life, a user’s losing or forgetting the device, and some users not wanting to use their personal phones to receive OTP codes for work purposes.
There are also issues related to the text messages themselves, such as occasional delivery failures, some users not having text messaging capabilities, and potentially incurring a per text charge from third-party messaging providers. Additionally, if an organization has many international users, the cost or added difficulty of sending local SMS can be prohibitive.
Requires Cellular Service or Internet Access
On-demand OTPs require users to have cellular service (SMS only), Wi-Fi signal, or internet access in order to be delivered. If users are offline or out of network, such as on an airplane, in a remote area, or traveling internationally, they may be unable to access the codes.
Are On-Demand OTPs Right for Your Organization?
OTPs delivered through email and SMS messages are a widely used form of 2FA that many organizations choose for user convenience, ease of administration, and low associated costs. On-demand OTPs may be an option for your organization if you are looking to prioritize usability over security.
However, as with any authentication method, it’s important to carefully weigh the benefits against the drawbacks and security vulnerabilities and evaluate all possible authentication options. Today, there are a number of convenient and secure authentication methods that are both cost-effective and backed by NIST that may better meet your organization’s needs. Selecting an authentication platform that offers a broad range of authentication methods can help your organization choose the methods that best meet its needs.