Authentication & Security

The Story of OTP

One time passwords, or OTPs as they are popularly called, have become the authentication factor of choice for most of the payment service providers in India. The use of OTPs extends to non-financial transactions as well, for instance, logging a customer to a smartphone application. Currently, all banks and mobile wallet companies in India use OTP as a method to either authenticate their consumers or the consumer’s transactions.

Generation and Delivery of an OTP

There are two steps which happen prior to the actual usage of OTP for authentication: Generation and Delivery.

OTPs can be generated in multiple ways. One of the frequently used methods is the time-based generation of OTP. In this method, a ‘token’ is used to generate the OTP. This generation has time as one of the inputs. This time on the generation device is perfectly synced to the authentication server. The other method of generation is to invoke a mathematical function which gives the OTP as an output.

The delivery of OTP to the consumer can also happen in various ways. The most popular method in India is delivery via text messages. A notification on smartphone is also becoming a popular way to do this. Some banks issue hardware devices which have the token for the generation of the OTP itself. At times when the OTP fails to be delivered, the customer has the option to initiate an IVR call to receive the OTP via an automated call.

A few banks not only deliver the OTP to the consumer but also give them an option to generate the OTP by texting a specified string to a number. This OTP is usually valid for a limited time.

Most of the banks generate a four-digit OTP and a few generate a six-digit OTP. A six-digit OTP is safer than a four-digit one to handle replay attacks. Organizations are exploring alphanumeric strings.

Characteristics of an OTP

There are three facets to an OTP which leads to better consumer adoption and robustness in authentication. The characteristics are:

  1. Simple
  2. Secure
  3. Swift

The table below compares a few of the OTP types being used in the market:

Simple Secure Swift
Four-digit OTP delivered via SMS
Six-digit OTP delivered via SMS
OTP delivered via IVR call
OTP generated by consumer delivered via SMS

Who uses OTPs?

The OTP has gained traction for authenticating transactions and users across industries. In emerging economies such as India and China, the OTP is a secondary factor for transaction authorization. Certain banks – including the likes of OCBC and ICBC in China –issue physical hardware for OTP generation whereas, in India, most of the incumbents use OTP delivered via text messages. Banks – such as ICICI Bank – use a combination of security grid present on the account holder’s card as well as an OTP; others like Standard Chartered use an OTP and Citibank gives the customer a choice to authorize the transaction both via a PIN or a text-delivered OTP. Prepaid instruments in India also use OTP as a factor for authentication. Prepaid wallet companies use OTPs for transaction authorization as well as for consumer login into their apps.

Globally, social networks use OTP for resetting user passwords. In Africa, banks use text-based OTP. Standard bank and Netbank – the two leading banks in Africa – offer this functionality to their consumers. The use of text OTP is prevalent in Middle East banks as well. For instance, Mashreq – one of the leaders in the GCC region for digital banking – relies on this method. Other banks in the region who offer OTP include Al Rajhi Bank, Rakbank, Samba Bank, etc.

In the other developing regions of Latin America, Southeast Asia and East Europe, OTP is primarily delivered through SMS. Maybank in Malaysia and BBVA Bancomer in Mexico use OTPs as an additional factor for authentication. BBVA Bancomer even has a dynamic CVV/CVC capability.

In North America, Europe, Australia, Singapore and other developed markets, OTP is usually not delivered via text messages. Wells Fargo – one of the largest banks in the world – uses an Advance Access terminology for using their OTP. Lloyds bank in England uses an OTP which is delivered via a call. DBS Singapore uses a six-digit OTP for both login and transaction.  Down under in Australia, the Commonwealth Bank issues a hardware device to its customers to login and authenticate their transactions.

Is there a perfect OTP?

An OTP which ‘resides’ in the smartphone application and is secure enough would be the simplest to be used by the consumer. Delivery via text messages usually leads to a drop of up to 10% apart from the delay in delivery due to mobile network connectivity. A dynamically changing OTP is more secure. All these facets rolled into one forms an effective OTP mechanism.

The road ahead

Authentication is done via three factors: Knowledge, Ownership and Inheritance. Knowledge and ownership are factors which are transferable and prone to fraudulent usage. It is only the inheritance factor which is robust but the implementation is certainly an uphill task for many of the incumbent players in the market.  As such OTP, is just one of the ownership factors of authentication. The future might see authentications with biometrics only. A few organisations such as Barclays Wealth already use the more reliable voice prints for authenticating large ticket transactions.

Deepak Venkatesh

Deepak Venkatesh is a FinTech professional with a keen interest in payments and mobile financial services. He has experience across transaction banking, international remittances and mobile wallets. All views expressed are solely the author’s.

Apply to Become a Contributor