One-time passwords sent via text should be avoided.

• SMS-based OTPs are susceptible to fraudsters' attacks through phishing, SIM swapping, and interception of messages.
• The consensus is that one-time passwords should be replaced due to the cybersecurity risks.
• Experts suggest using authenticator apps, such as Google Authenticator or Microsoft Authenticator, on mobile devices for improved security.

One-time passwords (OTPs), commonly used by mobile phone users to log into apps and relied upon by many companies to grant access, are increasingly being questioned by cybersecurity professionals. While experts acknowledge that OTPs are convenient, they believe that they should be eliminated, although it is unlikely to happen anytime soon.

Gartner Research vice president analyst Ant Allan emphasizes that while there are no foolproof authentication methods, some are stronger than others, and consumers should be aware of the different types of one-time passwords and their relative security risks and benefits.

Here's what consumers need to know about OTPs and online security:

OTPs are vulnerable to online scams

Javelin Strategy & Research's Tracy C. Kitten stated that OTPs sent via text message, or SMS, are more susceptible to fraudsters' attacks through phishing, SIM swapping, and message interception, even if your phone is in your possession.

If you have a mobile account or website taken over, you may not be aware of it immediately. For example, you could ask a bank to send a text and then resend, not realizing someone else is getting it. It could take you 45 minutes before you realize something's wrong, and at that point it's too late.

Use an authenticator app from Google, Microsoft

Allan stated that authenticator apps, such as Google Authenticator or Microsoft Authenticator, are a safer option than SMS, although they are not a complete solution. These apps can still be vulnerable to certain types of attacks, such as "adversary in the middle."

An authenticator app generates a unique code for users to log in, which expires after 30 to 60 seconds. The app is on a mobile device, and if the phone is password-protected and has facial recognition enabled, it significantly reduces the risk of unauthorized access to the codes.

Cedric Thevenet, vice president and head of cyber sales and solutioning at Capgemini Americas, stated that there are still potential vulnerabilities in the need to enter a code, as a person could receive an email that appears to be from a familiar company or provider, but is actually a phishing attempt. AI is making it harder to detect these types of emails, Thevenet added.

If an unsuspecting user clicks on a link that appears to be legitimate but isn't, he may enter his username and password on a hacker's site, thinking it's the provider's site. When prompted for an authenticator code, the user may unknowingly provide it, giving the hacker access to the person's account.

Consider mobile app push for better protection

A more secure authentication method is available when using mobile apps on a user's phone. When logging into a website for a bank or other provider, users receive a notification on their phone's app, prompting them to verify their identity through the notification.

Allan stated that this verification method is not dependent on the device being used and is more secure than SMS or OTPs. However, there are still potential attacks that can compromise this method. For instance, a hacker could attempt to log into a user's account using a stolen password and send multiple verification messages to the user's phone. If the user is careless or simply wants to stop receiving messages, they may click to verify, granting the hacker access to their account.

Opt for hardware security key when possible

Using a hardware security key like Yubico is a better option than SMS or an authenticator app, according to Allan. However, there is an investment involved as a key can cost between $20 and $60 or more, and care must be taken to prevent loss.

Thevenet stated that it's not practical for an online retailer to provide a key to each of its customers due to cost considerations.

Take passwords out of equation with multi-device passkeys

Using multi-device passkeys, which replace passwords, makes it harder for attackers to access your accounts. Passkeys involve a private key stored on your computer or phone and public key cryptography, as stated by the FIDO Alliance, an industry association aimed at reducing the world's dependence on passwords.

Passkeys provide an additional layer of security by working only on registered websites and apps, making it more difficult for attackers to get started with phishing attacks. While there are still some security concerns, passkeys eliminate the need for passwords, which can be a significant improvement in protecting user data.

Allan stated that from a regulatory standpoint, passkeys may not be considered multi-factor authentication, but they could still be more secure than using a password and SMS.

Expect OTPs via SMS to remain in use, and a risk

Password managers are one of the many options available for users to enhance their online login security, but they come with risks and are limited by the authentication methods offered by different providers.

Protiviti's managing director, Dusty Anderson, leads the firm's digital identity practice and has a client that spends tens of thousands of dollars monthly on SMS-based OTPs. Although security concerns exist, the client is resistant to change due to fear of disrupting customers who may not be tech-savvy and may be hesitant to use a different type of authenticator, she stated.

Is it the best solution to use OTPs through SMS? No. Is it better than just a password? Yes.