Don’t mourn the loss of text-based OTP
12 August, 2016
category: Biometrics, Corporate, Digital ID, Financial, Government
Would you use a computer that is five-years old? How about a smartphone that old? Probably not.
While computing technology advances as time goes by so to does authentication technology. The last couple of weeks saw some wailing and gnashing of teeth when some people finally read the proposed updated to Special Publication 800-63, which recommended deprecating over-the-air one-time passcodes.
The headlines stated that NIST was going to ban or outlaw OTP, which isn’t the case … at least yet. For now the agency is just recommending that agencies find other solutions as there have been some common hacks of this first-generation two-factor authentication technology.
Jeremy Grant, managing director at the Chertoff Group and an advisor to the FIDO Alliance, posted a blog about the discussion and how it’s cause for celebration. “Technology constantly evolves – and as it does, security evolves with it,” he states. “As technology continues to change, the obsolescence of some solutions shouldn’t be feared, it should be welcomed. Particularly when the reason the obsolescence is happening is because old technologies are being replaced with ones that are more secure and easier to use.”
New tools that are more secure and easier to use are emerging to help people have better online security. While text-based OTPs were the first generation we’re now in the second generation of application-based passcodes. “While offering security advantages, these apps have not caught on due to the need 1) for consumers to actively download a dedicated app for strong authentication and 2) a mediocre user experience requiring consumers to stop what they are doing, launch an app and then enter a code,” Grant states.
The next generation will make authentication easier. Mobile devices are embedded with biometric sensors, Trusted Execution Environment, Trusted Platform Module, or Secure Enclave, all of which will make online authentication more secure and easier to use.
NIST is hardly the first to throw up warning signs over Text-based OTPs. Google, the FTC and Gartner have all issued warnings over the past year. “Next generation authentication solutions are here today that address the weaknesses of SMS and other ‘shared secrets’ technology, providing tools that are not only more secure, but also easier to use,” Grant states.