OTPs vs Authenticators

What are authenticators and OTPs?

With fraud accounting for nearly 40% of all crime in England and Wales, businesses are finding themselves exploring modern solutions in attempts to reduce financial and reputational damage. For smaller enterprises, securing the registration and account usage processes is focal. However, larger enterprises that host high-value transactions face greater security requirements.

Over the last five years, a myriad of identity verification solutions have taken the stage, with OTP and authenticator applications being the two most notable. But what are they?

 “A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device.”

Definition of OTP from Wikipedia

“An authenticator app is usually installed on a smartphone and generates a 6-8 digit code every 30 seconds. The code can be used for signing in, trading, depositing, or withdrawing   funds from an account.”

Definition of Authenticator from Kraken

An OTP is most commonly an SMS message sent to the mobile number given during the signup process, which when submitted to a webform will give the user access. Authenticator apps and SMS OTPs are both forms of 2FA (Two Factor Authentication) – along with email codes and phone calls – both of which decrease the likelihood of fraud and signal that you take fraud seriously, but how do you know which one is right for your business?

What are the benefits of OTPs?

  • An industry norm, which means customers are already comfortable with how they work. Familiarity with a system can reduce the likelihood customers will become frustrated – therefore less abandonment in the middle of signing in or purchasing.
  • There is limited friction with SMS OTPs – no smartphone requirement or app store account necessary.
  • OTPs can alert customers to a potential Account Takeover in real time, giving customers a heads up that it is time to quickly change their passwords or contact a bank.

What are the downsides of OTPs?

  • SMS OTPs are vulnerable to SIM-Swap attacks. This is where fraudsters convince a SIM provider to move SIM information into a new SIM in their possession, leading to the fraudster receiving all texts and calls. You can read more about the dangers of SIM-Swap here.
  • Though SMS OTPs are recognisable, they still provide friction. Certain authenticators provide a faster verification process – which in turn feels better for the customer.
  • SMS OTPs also require mobile coverage – for those living in the countryside, or any building with thick enough walls, this could be a familiar pain point.
  • SMS OTPs are vulnerable to key-logging malware.

What are the benefits of Authenticators?

  • Authenticators are attached to the app on the device itself, so unless your mobile is stolen, it is unlikely to fall prey to a SIM-Swap attack. The codes are stored on your phone and expire.
  • Authenticators work without cell service or Wi-Fi, giving your customers an extra layer of convenience when being authorised.
  • Authenticators can deliver a speedy onboarding process when designed well, for example, selecting a matching number to the one given.

What are the downsides of Authenticators?

  • Authenticators are not perfect – if a fraudster can get malware onto a phone, they may have unlimited access to real-time codes.
  • They require the user to download an app and have access to an app store.
  • Having multiple authenticators can start to clutter your customer’s phone, leading to frustration.
  • They are not familiar to an average consumer; the less tech savvy could be apprehensive to adopt this method of verification.
  • Authenticators can be more costly and complicated for a business to set up.

Which is better, OTP or authenticator?

Both have advantages: authenticators provide a higher level of security but a less comfortable customer experience, OTPs are more convenient for the customer and business in general, but less secure due to SIM-Swap fraud. This conundrum – ‘security vs convenience’ – is a common one, luckily there are supplements to both forms of 2FA that can remove large pitfalls, allowing businesses to provide an elevated level of security without sacrificing customer experience.

Mobile Data turning 2FA into MFA

When you use a mobile as your 2FA you turn your phone number into a digital identity device. To do this you must assume that the customer has access to the phone number, which is not always the case. However, when used in tandem with MNO (Mobile Network Operator) data, mobile numbers become a resourceful proxy for digital identity. This is because MNO data can inform you of various data points indicative of genuine identity.

The benefits of MNO data are substantial, for example: MNOs can provide information on whether the SIM has been swapped and when; if the number has been recycled; if the device has been changed; if it has been reported lost or stolen; and if the device in use is the one attached to the number submitted. When you have this information in aggregate – along with an OTP – confidence in an individual’s legitimacy is exceedingly high. MFA (Multi-Factor Authentication) is the new 2FA – layering less obstructive methods of authentication can create a robust, customer-friendly security system.

Companies like Phronesis provide GDPR compliant access to MNO data to help your business stay ahead of the curve on digital identity and fraud prevention. Phronesis is helping insurers, banks, software developers and service providers to positively identify new customers, authenticate users and protect all manner of transactions from identity fraud and attacks. Phronesis works behind the scenes, using real-time data from mobile networks and devices to enhance your existing systems so you can focus on building ever better, more profitable customer experiences.


Sources:

Victims Commissioner

Wikipedia (Definitions)

Kraken

Go4Mobility

SecurityScorecard