Thales Blog

Is the demise of OTP authentication imminent?

May 10, 2022

Chris Martin Chris Martin | Solutions Architect More About This Author >

Digital transformation and the increasing reliance on remote business continue to accelerate the adoption of new identity and access management (IAM) approaches and technologies. IAM and IT leaders face new business demands that require digital trust across every interaction and channel. Reducing the risk from credential compromise is forcing regulators and industry leaders to mandate multifactor authentication (MFA) and re-assess the efficacy of OTP.

Historical perspective of strengthening authentication

With passwords destined to be around for a foreseeable amount of time with all their weaknesses, businesses were always seeking for ways to verify the identity of people and services accessing sensitive data beyond any doubt. They have realized that relying on a single knowledge factor such as passwords was not good enough, creating risks and vulnerabilities that attackers were eager to exploit.

The first attempt was to leverage knowledge questions to complement insecure passwords, only to find out soon enough that people were using information that was easy to be compromised by simple social engineering tactics. Either way that was not a second factor per se but instead a second step to authentication using yet another knowledge factor.

With the proliferation of smartphones, SMS-based OTP was used, which was indeed a second factor, the possession one, proving that you owned the phone number to which the SMS message was sent. Soon enough, attackers changed their tactics and found a way to trick mobile carriers and get hold of the SMS message containing the OTP code. SIM swapping attacks were the key reason that back in 2011, NIST deprecated SMS-based OTP authentication.

Businesses wishing to leverage the power of MFA were then directed to use OTP application authenticators, such as Microsoft Authenticator, instead. Even now, security researchers and criminals have proved that OTP Push authentication is vulnerable to manipulation and man-in-the-middle attacks through infected devices. The Office of Management and Budget (OMB) in the United States and ENISA in the European Union both called for not using OTP authentication because it is not phishing resistant.

Both agencies ask organizations to leverage authentication methods such as FIDO2 or certificate-based authentication. While FIDO is becoming mainstream, as many vendors support it, the question is whether we will witness the re-emergence of PKI for managing the digital identities of employees.

Which authentication method is suitable or do you need many?

With MFA being a mandatory requirement, the discussion now shifts to selecting the most appropriate authentication method. In doing so, organizations need to consider the following factors:

  • The use cases where MFA will be used. It is important to note that MFA is not required only to harden the digital identities of employees. It is used in many cases including, VPNs, cloud workloads and containers, factory floor workers and healthcare providers, and protecting Operational Technology (OT) systems and processes.
  • Often a range of authenticators are required. Not all users will have the same user experience and have very different needs. Not all users will have access or can use a mobile phone.
  • Deployment flexibility and scalability to futureproof all business needs and goals.
  • Management limitations. For example, lifecycle management of FIDO credentials is a critical element of deploying FIDO authentication in the enterprise. The question is how an organization can address the actions behind the registration of FIDO credentials as part of the employee onboarding process and account creation, registering and binding new FIDO credentials to existing user corporate accounts. Other considerations include revoking FIDO credentials when they are compromised, or when employees leave the company, renewing FIDO credentials, and recovering access to corporate accounts when FIDO credentials are lost.
  • Organization-specific constraints, such as the sensitivity and criticality of the data to be accessed, regulatory compliance, operational limitations (i.e., restricted use of mobile devices), and workforce mobility.
  • Resistance to known attack vectors, such as sophisticated social engineering attacks.

Every user is a potential target

MFA is a very powerful tool in the arsenal of every organization. Deployment of MFA should not be limited to only privileged accounts, but it should expand and cover every employee. Attackers need to compromise only a weak credential to log themselves into a corporate network or deploy ransomware. Once they have breached into the organization, for them, it is business as usual.

Organizations must support a wide range of authentication factors to be able to enable modern authentication – adaptive, contextual, risk-based authentication that balances security with frictionless experience.

If you would like to learn more, I’ll be at the Gartner Identity & Access Management Summit on 12 and 13 May 2022, from 11:15 AM - 11:45 AM BST, presenting the topic “Is the Demise of OTP Authentication Imminent?”