One-Time Passwords (OTP) - Single-Use Codes

About 2 min read

A one-time password (OTP) is a single-use password that is valid for only one authentication. Unlike a fixed password, it cannot be reused even if intercepted, so it is widely used as the "possession" factor of multi-factor authentication. It is a technology used routinely as an additional authentication layer in contexts such as online banking, corporate VPN connections, and cloud service logins.

HOTP and TOTP - Two Generation Methods

OTP generation methods fall broadly into two types. HOTP (HMAC-based One-Time Password, RFC 4226) is a counter-based method: the counter value is incremented on each authentication, and a one-time code is generated from the shared secret key and the counter value using HMAC-SHA1. It works correctly as long as the server and client counters are synchronized, but it has an operational drawback in that resynchronization becomes necessary when the counters drift out of sync.

TOTP (Time-based One-Time Password, RFC 6238) is a time-based method that evolved from HOTP. Because it uses the current time (typically in 30-second intervals) instead of a counter, the counter synchronization problem is eliminated. All major authenticator apps, including Google Authenticator and Microsoft Authenticator, adopt TOTP, making it the current mainstream of OTP. TOTP is a type of OTP, with HOTP and TOTP both contained within the broader category of OTP.

The Risks of SMS OTP

The method of sending OTPs via SMS has spread widely because of its convenience, but it harbors serious security problems. The greatest risk is the SIM swap attack. By deceiving the mobile carrier into transferring the victim's phone number to a different SIM card, an attacker can intercept the SMS OTP. In 2019, an incident in which the Twitter CEO's account was hijacked through a SIM swap drew significant attention.

A more fundamental problem is the vulnerability of the SS7 (Signaling System No. 7) protocol. SS7 is a signaling control protocol for telephone networks designed in 1975, with almost no mechanisms for authentication or encryption. If an attacker can gain access to the SS7 network, intercepting SMS messages is technically possible. As of 2016, NIST positioned SMS OTP as "not recommended," and migration to authenticator apps or hardware tokens is encouraged wherever possible.

Hardware Tokens and Software Tokens

The means of generating OTPs are broadly divided into physical devices (hardware tokens) and apps (software tokens). The representative hardware token is the RSA SecurID, which has been used for corporate remote access authentication since the 1990s. It is that small device that displays a 6-digit code changing every 60 seconds on its LCD screen. Because it is physically independent, it is less susceptible to malware, but the response cost when lost or broken and the burden of distributing and managing the devices are challenges. Please also refer to How to Choose a Hardware Security Key.

A software token (authenticator app) can be used simply by installing it on a smartphone, and its greatest advantage is that the distribution cost is close to zero. However, if the smartphone itself becomes infected with malware, there is a risk that the OTP will be stolen. OTP authentication guides on Amazon explain in detail the implementation differences between each method.

Actual Use at Financial Institutions

At Japanese banks, it is standard to require an OTP when making a transfer in online banking. Distributing hardware tokens was once mainstream, but in recent years the shift to smartphone apps has progressed. What is interesting is that many financial institutions still use SMS OTP alongside other methods. This is a decision that prioritizes user convenience and support costs over security, and it has an aspect of consideration for "the customer segment that cannot use authenticator apps."

The adoption rate of two-factor authentication is rising year by year, but new attack techniques that abuse OTPs, such as the MFA fatigue attack, have also emerged. OTP is not a panacea; it is a technology that only delivers its full effect when combined with a correct understanding of two-factor authentication.