Two-Factor Authentication and Why OTP Is Being Phased Out

In Indonesia, 97% of businesses have experienced account takeover (ATO) fraud, with 8 out of 10 cases leading to unauthorized transactions. This situation typically occurs due to leaked sensitive data, which is then exploited by cybercriminals.

Account takeover is a type of digital fraud that can result in financial losses. To prevent this, many companies are strengthening security measures with Two-Factor Authentication (2FA).

Definition of Two-Factor Authentication

Two-Factor Authentication (2FA) is a security method that verifies a user’s identity based on a combination of two factors. 

For example, when logging into an e-commerce or social media account, after entering your password, you receive an OTP (One-Time Password) that must be entered into the platform.

While OTP authentication is still widely used, some financial institutions in Singapore are starting to phase it out. Let’s explore the advantages of 2FA security and why biometric authentication is a more secure alternative.

Benefits of Two-Factor Authentication

1. Enhanced Security: Two layers of verification significantly reduce the chances of hackers successfully accessing an account.

2. Protection Against Cyberattacks: 2FA minimizes risks from phishing, credential stuffing, and brute force attacks.

3. Increased User Trust: Businesses that implement 2FA demonstrate their commitment to user security, fostering greater trust.

Examples of Two-Factor Authentication

Two-Factor Authentication (2FA) requires users to provide two types of credentials before gaining access to an account or system. It strengthens security against phishing, data breaches, and brute force attacks.

2FA typically involves three main categories of authentication factors:

• Something You Know: A password, PIN, or security question answer.
• Something You Have: A smartphone, authentication app, or security token.
• Something You Are: Biometric features like fingerprint, facial recognition, or voice recognition.

Common Two-Factor Authentication Combinations

1. Password and OTP (One-Time Password)

Users enter a password (first factor) and receive an OTP via SMS, email, or an authenticator app (second factor).

Examples:

• Online banking transactions requiring OTP for payment verification.
• E-commerce accounts using OTP for login verification.

Risk: This method is easy to implement but highly vulnerable to phishing and SIM swapping.

2. Password and Authenticator App

Instead of OTP via SMS, users generate OTPs through authenticator apps like Google Authenticator or Microsoft Authenticator.

Example:

• Logging into accounts that use authentication apps for added security.

Benefit: Safer than SMS OTP since phishing attacks can’t intercept codes. Yet it has downside, it requires users to install an additional app.

3. Biometric Authentication and Trusted Device

No password, PIN, or OTP is needed. Users authenticate via biometric verification (facial recognition), which is linked to their device.

Example:

• When signing up for mobile banking or an e-commerce app, the system requests biometric authentication via selfie verification. The app then associates the user's biometric data with their device, ensuring future logins can only be done using the same face and device.

The Evolution of OTP in Two-Factor Authentication

OTP has evolved over decades as a security measure:

1. 1980s: The Birth of OTP

2. 1990s: OTP in Enterprise Security

RSA SecurID tokens became popular, producing time-based OTPs valid for a few seconds or minutes.

3. 2000s: The Rise of SMS OTP

4. 2010s: The Shift to Authenticator Apps

Why OTP Authentication Is No Longer Secure

Although OTP was initially designed to enhance security, advancements in cybercrime have made it a frequent target for fraud and hacking attempts. Here’s why OTP is no longer considered secure:

1. Susceptible to Phishing Attacks

Phishing scams trick users into entering their OTPs on fake login pages that resemble real banking or e-commerce sites. Once the OTP is entered, scammers gain full access to the victim's account.

2. Fake Phone Calls and Video Calls

Scammers impersonate customer service agents from banks or platforms and ask for OTPs under the pretense of account verification or security updates. Many victims unknowingly provide their OTPs, leading to account takeover fraud.

3. Call and SMS Forwarding Exploits

Attackers trick users into activating SMS forwarding, redirecting OTP messages to the fraudster's number. This allows scammers to access accounts without the victim realizing it.

4. SIM Swapping Fraud

SIM swapping is an increasingly common attack. Fraudsters convince mobile carriers to transfer a victim’s phone number to a new SIM card controlled by the scammer. Once the transfer is complete, the fraudster can intercept OTPs and gain control over all accounts linked to the number.

VIDA’s Secure Two-Factor Authentication Solutions

Modern authentication systems are shifting towards biometric and device-based authentication. VIDA offers secure, fast, and phishing-resistant authentication methods:

1. VIDA FaceToken

• Uses liveness detection and facial recognition to verify identity.
• Ensures that only the legitimate user can access their account.

2. VIDA PhoneToken

• Device-based authentication that eliminates the need for OTPs and passwords.
• Uses Public Key Infrastructure (PKI) technology for maximum security.

Two-Factor Authentication (2FA) is a crucial security step, but traditional OTP-based authentication is no longer safe. Companies should transition to biometric and device-based authentication to protect users from fraud, phishing, and SIM swapping attacks.

Explore VIDA’s latest whitepaper: Where’s The Fraud? The State of Authentication and Account Takeovers in Indonesia.