The blog of this week is about the Limitations of SMS-based OTP Authentication.
Through this blog, we aim to make our readers aware of the common two-factor authentication (2FA) techniques used In India have several shortfalls. We take a look at security risks associated with SMS-based OTP Authentication.
Ambimat Electronics, with its experience of over forty years, desires to draw the attention of its readers and potential customers towards this blog post about their new product called AmbiSecure key and how it will benefit us.
A simple password doesn’t cut it for most systems, especially ones with higher risks or sensitivity attached to them. One of the most effective ways of ensuring authentication is with“Multi-Factor Authentication”, or MFA. It is a method of access control in which a user is granted access only after successfully presenting at least two separate pieces of evidence to an authentication mechanism within the following categories:
- Knowledge Factor: Something you “know”: a password or PIN, or an answer to a question
- Possession Factor: Something you “have”: a token, credit card or mobile device
- Inherence Factor: Something you “are”: biometric data, such as fingerprints
Multi-Factor Authentication has been around for some time in different forms – input code received by SMS generated through apps, hardware keys etc. For those who are unaware, Multi-Factor Authentication enabled accounts will require a second code generated through an alternative medium in addition to a traditional password to log in to (email)/transact (banking and finance) from the account.
SMS-based OTP Authentication and Its Disadvantages.
Smartphones, we rely on them! This is for the simple fact that smartphones can give us access to numerous services online. It is a channel from which we can access several services such as banking, shopping, social media accounts, and countless more. Simply put, we can always remain online and access the internet anytime we feel like it. However, this has also given a rise to data theft. We may not realize it, but our mobile device can become a victim of malicious malware lurking on the net.
To overcome such breaches many online service providers introduced the concept of SMS-based OTP authentication. Its goal is to reduce phishing attacks as well as to address any security-related risk on the internet in regards to user authentication. The concept is to enter an OTP received on your mobile to verify your credentials on the website you want to use. Simple and secure enough. But, you would be surprised to know that SMS-based OTP authentication can also be compromised. Let’s have a look
Disadvantages of SMS based OTP Authentication
- Low level of security for a Second Factor Authentication Method:
Many of us assume that SMS OTP is a second-factor authentication. However, it is considered to be more of a two-step verification process, because you are simply receiving a message on your phone and not carrying it. This message can easily be intercepted and copied by malware present on your phone. So can we say it is a second-factor authentication method? Not always.
- Unsecure to Open Networks
You may like the sound of accessing your mobile device over an open network. However, what you fail to understand is that open or unsecured networks are the lurking ground for hackers, or shall we say Man-In-the_Middle. Uploading malicious software on your phone becomes an easy task for them over such open networks, and as soon you connect your phone to the network, you are presented with a task before you can access it. Thus compromising both your phone as well as all the data in it.
- Unencrypted Messages
The SMS OTP message that you receive on your phone is simply a text message. It passes through channels before you receive it. If any of these channels have weak security then the data can fall into the wrong hands. There have been cases where user SIM have been blocked and new ones acquired by hackers through mischievous means thereby granting them unlimited access to the OTP received on your registered mobile.
- Privacy and Security of Message not Guaranteed
SMS-based messages require proper security measures, but unfortunately, most network operators are unable to provide them.
Why is SMS-based 2FA still so popular?
Modern hackers are sophisticated, but much of the technology to ward them off is not. OTP are no longer considered secure as they’re heavily attacked in recent years.
- The two foundations on which OTP over SMS is built — cellular networks and mobile handsets — were completely different when the method is introduced. Security depends on the confidentiality of text messages and the network’s security, neither of which can be guaranteed. Hackers have created specialized Trojans to get around OTP over SMS security. These trojans hijack mobile phones.
- OTP Requires a reliable cell phone signal and battery life.
- May result in occasional SMS delivery failures
- The use of 3rd Party Messaging providers often incurs a per text charge.
So finally we can say that although SMS-based OTP authentication will continue to stay, it is best to equip ourselves with the knowledge of its disadvantages. The above points are just a few of them that you may face with such authentication methods. However, with the growing number of new risks evolving today in the web world, only time can say how secure these SMS-based OTP will continue to be.
Going beyond SMS authentication
FIDO2 is a standard that simplifies and secures user authentication. It uses public-key cryptography to protect from phishing attacks and is the only phishing-proof factor available. Corporations around the world and across many sectors can benefit from Fast Identity Online or Fast ID Online (FIDO) authentication, which their employees and users can use to minimize security risks and improve the user experience. We use FIDO for our AmbiSecure key and card which offers superior security by combining hardware-based authentication and public key cryptography to effectively defend against phishing attacks and eliminate account takeovers.
AmbiSecure helps organizations accelerate to a password-less future by providing support for the FIDO2 protocol. FIDO2 supports not only today’s two-factor authentication but also paves the way for eliminating weak password authentication, with strong single factor hardware-based authentication. The AmbiSecure provides a simple and intuitive authentication experience that users find easy to use, ensuring rapid adoption and organizational security. Ambisecure key or card do not require a battery or network connectivity, making authentication always accessible.
About Ambimat Electronics:
With design experience of close to 4 decades of excellence, world-class talent, and innovative breakthroughs, Ambimat Electronics is a single-stop solution enabler to Leading PSUs, private sector companies, and start-ups to deliver design capabilities and develop manufacturing capabilities in various industries and markets. AmbiIoT design services have helped develop Smartwatches, Smart homes, Medicals, Robotics, Retail, Pubs and brewery, Security.
Ambimat Electronics has come a long way to become one of India’s leading IoT(Internet of things) product designers and manufacturers today. We present below some of our solutions that can be implemented and parameterized according to specific business needs. AmbiPay, AmbiPower, AmbiCon, AmbiSecure, AmbiSense, AmbiAutomation.