Page 43 - Cyber Warnings
P. 43
VoiceOTP Audio Message: VoiceOTPs deliver end users a passcode via phone call. When the
user answers his or her phone, an audio message is played, giving a brief introduction and then
a randomly-generated passcode is “spoken,” making the OTP impossible to intercept.
Mobile Software Tokens: Unlike SMS OTPs, software-based one-time passcodes that help
validate login and transactional activity are secured by encryption and other methods, making
them useless to cybercriminals if intercepted.
A mobile-application-based OTP is delivered to a user’s phone or tablet and appears on screen,
meaning the user doesn’t have to toggle between different apps to enter the passcode.
As we can see, multi-factor authentication that is out-of-channel and smartphone (or tablet)-
centric provide inherently superior security compared to the aging SMS OTP second-factor
authentication approach.
It is also more convenient, providing a near-frictionless user experience.
But this does not mean that the SMS delivered password is completely obsolete. The NIST
recommendation is most relevant in fully-developed digital markets such as North America,
Europe and elsewhere.
Its position on SMS-delivered OTPs is aimed squarely at the US, where smartphones and
tablets are ubiquitous.
In less developed markets where there is little smartphone penetration and the old model
“dumb-phones” are still the norm, SMS OTPs are indeed still very useful, as there are few
alternative second-factor authentication methods available for these end users.
So is the SMS-delivered OTP dead? Not quite. It may be too soon for SMS’s funeral, but the
authentication factor is getting on in years and should be considering retirement.
About the Author
Having spent over 10 years in development, architecture and consultancy roles in the financial
services industry, Paul Wilson is a Product Manager at Easy Solutions. Paul works with
prospects, customers, and the rest of the Easy Solutions team in the creation of fresh and
innovative solutions.
Prior to Easy Solutions, Paul held roles at FIS, the world’s top provider of banking technology,
and at VocaLink, the operator of the UK national payments infrastructure.
43 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
