Skip to content
English
biometric authentication

Jan 28, 2025

Two-Factor Authentication and Why OTP Is Being Phased Out

This is a comprehensive explanation of Two-Factor Authentication (2FA), covering its definition, benefits, and current trends in digital security.

Autentikasi Dua Faktor: Definisi, Contoh, dan Alasan OTP Mulai Ditinggalkan

In Indonesia, 97% of businesses have experienced account takeover (ATO) fraud, with 8 out of 10 cases leading to unauthorized transactions. This situation typically occurs due to leaked sensitive data, which is then exploited by cybercriminals.

Account takeover is a type of digital fraud that can result in financial losses. To prevent this, many companies are strengthening security measures with Two-Factor Authentication (2FA).

Definition of Two-Factor Authentication

Two-Factor Authentication (2FA) is a security method that verifies a user’s identity based on a combination of two factors. 

For example, when logging into an e-commerce or social media account, after entering your password, you receive an OTP (One-Time Password) that must be entered into the platform.

While OTP authentication is still widely used, some financial institutions in Singapore are starting to phase it out. Let’s explore the advantages of 2FA security and why biometric authentication is a more secure alternative.

Benefits of Two-Factor Authentication

  1. Enhanced Security: Two layers of verification significantly reduce the chances of hackers successfully accessing an account.

  2. Protection Against Cyberattacks: 2FA minimizes risks from phishing, credential stuffing, and brute force attacks.

  3. Increased User Trust: Businesses that implement 2FA demonstrate their commitment to user security, fostering greater trust.

Examples of Two-Factor Authentication

Two-Factor Authentication (2FA) requires users to provide two types of credentials before gaining access to an account or system. It strengthens security against phishing, data breaches, and brute force attacks.

2FA typically involves three main categories of authentication factors:

  • Something You Know: A password, PIN, or security question answer.
  • Something You Have: A smartphone, authentication app, or security token.
  • Something You Are: Biometric features like fingerprint, facial recognition, or voice recognition.

Common Two-Factor Authentication Combinations

1. Password and OTP (One-Time Password)

Users enter a password (first factor) and receive an OTP via SMS, email, or an authenticator app (second factor).

Examples:

  • Online banking transactions requiring OTP for payment verification.
  • E-commerce accounts using OTP for login verification.

Risk: This method is easy to implement but highly vulnerable to phishing and SIM swapping.

2. Password and Authenticator App

Instead of OTP via SMS, users generate OTPs through authenticator apps like Google Authenticator or Microsoft Authenticator.

Example:

  • Logging into accounts that use authentication apps for added security.

Benefit: Safer than SMS OTP since phishing attacks can’t intercept codes. Yet it has downside, it requires users to install an additional app.

3. Biometric Authentication and Trusted Device

No password, PIN, or OTP is needed. Users authenticate via biometric verification (facial recognition), which is linked to their device.

Example:

  • When signing up for mobile banking or an e-commerce app, the system requests biometric authentication via selfie verification. The app then associates the user's biometric data with their device, ensuring future logins can only be done using the same face and device.

The Evolution of OTP in Two-Factor Authentication

OTP has evolved over decades as a security measure:

1. 1980s: The Birth of OTP

OTP was first developed as a response to password security flaws. Early OTP systems used hardware tokens to generate random codes for login sessions.

2. 1990s: OTP in Enterprise Security

RSA SecurID tokens became popular, producing time-based OTPs valid for a few seconds or minutes.

3. 2000s: The Rise of SMS OTP

With the expansion of mobile networks, SMS OTP became widespread. By 2005, financial institutions and e-commerce platforms adopted SMS OTP for login verification and transactions.

4. 2010s: The Shift to Authenticator Apps

In 2010, Google launched Google Authenticator, allowing users to generate OTPs locally on their devices.


Why OTP Authentication Is No Longer Secure

Although OTP was initially designed to enhance security, advancements in cybercrime have made it a frequent target for fraud and hacking attempts. Here’s why OTP is no longer considered secure:

1. Susceptible to Phishing Attacks

Phishing scams trick users into entering their OTPs on fake login pages that resemble real banking or e-commerce sites. Once the OTP is entered, scammers gain full access to the victim's account.

2. Fake Phone Calls and Video Calls

Scammers impersonate customer service agents from banks or platforms and ask for OTPs under the pretense of account verification or security updates. Many victims unknowingly provide their OTPs, leading to account takeover fraud.

3. Call and SMS Forwarding Exploits

Attackers trick users into activating SMS forwarding, redirecting OTP messages to the fraudster's number. This allows scammers to access accounts without the victim realizing it.

4. SIM Swapping Fraud

SIM swapping is an increasingly common attack. Fraudsters convince mobile carriers to transfer a victim’s phone number to a new SIM card controlled by the scammer. Once the transfer is complete, the fraudster can intercept OTPs and gain control over all accounts linked to the number.

VIDA’s Secure Two-Factor Authentication Solutions

Modern authentication systems are shifting towards biometric and device-based authentication. VIDA offers secure, fast, and phishing-resistant authentication methods:

1. VIDA FaceToken

  • Uses liveness detection and facial recognition to verify identity.
  • Ensures that only the legitimate user can access their account.

2. VIDA PhoneToken

  • Device-based authentication that eliminates the need for OTPs and passwords.
  • Uses Public Key Infrastructure (PKI) technology for maximum security.

Two-Factor Authentication (2FA) is a crucial security step, but traditional OTP-based authentication is no longer safe. Companies should transition to biometric and device-based authentication to protect users from fraud, phishing, and SIM swapping attacks.

Explore VIDA’s latest whitepaper: Where’s The Fraud? The State of Authentication and Account Takeovers in Indonesia.
VIDA

VIDA - Verified Identity for All. VIDA provides a trusted digital identity platform.

Latest Articles

Honest Offers Effortless Digital Credit with VIDA
customer story

Honest Offers Effortless Digital Credit with VIDA

Since implementing VIDA’s identity verification solution, Honest has seen significant improvements in efficiency and security.

March 12, 2025

Simplifying Identity Verification with VIDA WebSDK
Digital Identity Verification

Simplifying Identity Verification with VIDA WebSDK

VIDA Web-SDK is an identity verification solution that can be easily integrated into both desktop and mobile devices. Here’s an overview of...

March 09, 2025

Understanding the Procurement Process: Types and Steps
digital signatures

Understanding the Procurement Process: Types and Steps

The procurement involves several crucial steps to ensure security and regulatory compliance. Let's explore the steps and types of goods or ...

February 28, 2025