Table of Contents

The Value of SMS One-Time Passcodes and Why They Shouldn’t be Banned

German banks are reportedly moving away from SMS one-time passcodes.

Let me first say that I’m not a big fan of SMS-based one-time passcodes (OTP) . SIM swapping is a real threat and we’ve seen successful SIM swap attacks before. However, banning or dropping SMS-based techniques as a result of those successful attacks is exactly what’s wrong with authentication and authorization today.

The fact that some banks relied on SMS as a binary authentication factor (i.e. with each transaction and not based on risk) is alarming to begin with, but the fact that they’ve now decided to drop SMS OTP altogether is just as alarming.

Organizations are always looking for a silver bullet that can give them a binary “strong” authentication result. Well, there isn’t one and anyone who’s selling this dream is, well … dreaming. Those who put their faith in mobile or biometrics are in for unpleasant surprises.

There isn’t a silver bullet.

The right approach is building trust in the user’s identity and devices over time using multiple approaches and based on thorough risk analysis (Continuous Adaptive Risk and Trust Assessment). SMS is one of the approaches that can be used at the right time and based on risk. Used in conjunction with multiple other techniques over time will produce some great results.

Remove SMS and you have one less indicator to rely on when building trust. The entire approach to authentication and authorization has to change if we really care about our users’ identities as opposed to just “complying” with various regulations. Complying is important, but the way you comply makes all the difference.

 

Author

  • Alex Brown

    A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company Form.com.

    View all posts