Some websites, apps and online services have even stopped using static passwords, and require a OTP every time that you login.
Why use a One Time Password?
Businesses and organisations might use OTPs because it means that they are generating a unique code that provides temporary access to an account, rather than a user creating their own password which provides permanent access to the account.
User created passwords are typically less secure; many people reuse passwords across different accounts so that it is easier to remember them, or they forget them and have to go through the process of resetting their password for the account anyway. One Time Passwords provide a solution to both of these issues.
Are One Time Passwords secure?
Whilst no login system is 100% secure, using OTPs certainly increases the security of an account. Because there isn’t a static password associated with the account, a number of different cyber security issues cease to exist. For example, password cracking techniques such as brute force attacks aren’t effective, because a password is only associated with the account once the user attempts to login.
However, OTPs aren’t invulnerable. A One Time Password is only as strong as the user that is receiving it, and the place that it is sent to. For example, many vishing scams (voice phishing) involve a perpetrator calling a victim, pretending to be someone that the victim trusts, and requesting information from the victim directly. Social engineering tactics like these provide a way for scammers to gain the OTP verbally, when it is provided by the victim themselves.
OTPs can also be obtained by accessing the email account, or the mobile device that the password is sent to. If either of these are poorly protected, OTPs can be intercepted and used to access any account that the email address or mobile device is linked to. This is why it's so important to use MFA on your email accounts, as this is often the door to all of your other online accounts.
OTPs are good, but MFA is better
Whilst One Time Passwords do solve problems created by static passwords, they’re only marginally more secure than static passwords. However, when combined with Multi-Factor Authentication (MFA), the security of an account drastically increases. With MFA, you’ll need to provide an email address, a password and an additional piece of information, such as a code texted to your phone, or a code on an authenticator app.
Using an authenticator app is one of the best security choices that users can make. Codes are only available using the app, which is only accessible on a mobile device that the user has access to. The codes also change every thirty seconds, meaning that even if a scammer was able to get the code, they would have very little time to use it.
Again, authenticator apps aren’t perfect cyber security solutions. Many websites offer alternative ways of accessing your account if you can’t access the authenticator app, which is useful if you lose access to it, but also opens a window for scammers. However, MFA paired with an authenticator app is currently the best way to secure your accounts.
