"740921 is the one-time password to complete the transaction".
SMS messages like the one above are part of our daily lives, whether we're transferring money, ordering food online, or logging into to certain apps. We know them by their abbreviation: OTP (one-time password).
But what is an OTP and why is it so important?
Passwords are one way to keep our data secure. Increasingly though, it has become necessary to use a password along with at least one other method to verify your authenticity. When you use two or more means to do the verification, it is known as Multi-factor authentication (MFA).
The most common form of MFA is two-factor authentication or 2FA. Here you don't use more than two ways to verify your authenticity. The most common form of 2FA is through SMS or email.
How effective are OTPs and SMS authentication?
Authentication via SMS is convenient but not necessarily safe enough from bad actors. SMS can be compromised by a method known as a SIM swap scam.
OTPs can also be compromised. For instance, scammers who have stolen credit cards are known to have made phone calls to owners asking for OTPs. A scammer may disguise themselves as bank officials or policemen to trick you into revealing your OTP. Remember the mantra, No One Can Ask For Your OTP.
Scammers might use other methods to deceive people into giving them access to their bank accounts, as shown in the crime drama Jamtara — Sabka Number Ayega.
As an alternative, there are several authenticator apps that we can use. They generate random time-based one time passwords (OTP), which are unique in nature and expire after a few seconds. We feel Aegis Authenticator is a good choice for two-factor authentication (2FA) because of its privacy-friendly nature. You can also use Google Authenticator for authenticating apps.
Indian banks still use SMS-based OTPs which aren't recommended by experts. It would be safer if banks opted for app-based authentication. Authenticator apps avoid the problem of scammers, broken pages, transfer delays and so on. Until they do so, we recommend you use authenticators for other apps and services.
For even more security, we recommend using a physical key, like the Yubikey which provides hardware-based MFA. This is a physical flash drive-like device that you can use to authenticate your identity. Without it, you cannot access the data on the device.
Also read: How to create a strong password
This article is part of a series on digital literacy titled Digital Buddhi, aimed at helping you be safe online.
Amoghavarsha is a digital investigator and a journalist.