SMS OTPs are long past their prime

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 28 Sept 2021

SMS OTPs were a good go-to solution, but they are long past their prime. GSM authentication offers a more robust alternative, according to Lincoln Naicker, product owner at Entersekt.

“Companies must look for better step-up authentication methods if they hope to fulfil their duties of protecting customers and their data. GSM authentication offers an app-less, truly out-of-band, secondary factor that is both low friction and simple to implement. For companies looking to protect all customers against fraud, GSM authentication is a great solution.”

He says for many years SMS OTPs were the favoured second-factor authentication mechanism, largely due to convenience. “Almost everyone has a mobile phone, which is always with them, and everyone is familiar with SMS.”

However, he says the tipping point where security risks posed by (SMS) OTP technology outweighed user familiarity was reached some time ago.

“The SMS channel is not considered the most secure for many reasons. Our phones are susceptible to any number of trojans which leverage open access to SMS on mobile phones specifically to intercept OTPs. What’s more, mobile SIM swaps or SIM clones can also significantly devalue this mechanism as an authentication option,” Naicker explains.

He says reducing SIM-swap fraud is the reason behind GSM authentication. This transforms the actual device into a unique identifier, communicating directly with that device through a real-time push notification over the mobile network.

Using a separate authentication channel makes it harder for a bad actor to intercept and subvert the authentication process – such as in the case of a man-in-the-middle attack - because the attacker would need to compromise two communications channels.

GSM is also easier, as customers don’t need to register, enrol or sign up, he adds. An authentication message is automatically pushed to their mobile phone when they attempt an interaction with their institution that has to be authenticated.

Naicker says that Entersekt has developed its offering to include patented technologies as well as direct integration with local mobile network operators (MNOs).

The customer sees a decline or accept message when they are about to log in or make a sensitive transaction, but in the background Entersekt applies complex algorithms which check the device identity and can also see if a SIM has been swapped recently. This information will be flagged to the institution, alerting them to a potentially risky transaction.

“This fits into the security end-game for today’s businesses that need to do whatever it takes to prevent fraud and protect their customers,” he says.

Businesses that don’t want to force their users to download yet another app, or would like to have a secure fallback authentication method should their app go down, can also rely on GSM authentication as a step-up option.

He says this authentication method is ideal for SA organisations. “USSD functionality means customers don’t have to have a smartphone. This is great for companies where inclusivity is a big priority, especially healthcare, financial services and even government services.”