Why banks are moving away from one-time passwords

By Claudius van der Meulen, Entersekt’s SVP Europe

Technology’s rapid evolution means we have said goodbye to countless gadgets and systems that many of us grew up with.

Consider, for example, the SONY Walkman, the telegram, and the once-popular video cassette. While we may remember these relics fondly, we wouldn’t dream of substituting our iPod with a Walkman today. So why, when our technology has developed in leaps and bounds, are we still using the SMS one-time password (OTP) – technology that was developed in the early 80s? Incredibly, this tech is still widely used as an identification and authentication method by many major financial institutions and other organizations, for example, the TAN and PAC codes used by ING Bank. Originally, only a TAN (Transaction Authorization Number) code was sent to a user’s mobile phone to authorize a transaction being made. Subsequently, the PAC (Personal Authentication Code) was added in 2012 to better protect users against online fraud. Even tech giant Facebook offers two-step authentication with SMS, and the DigiD code used to log in to government websites also uses SMS with a one-time password for verification.

Although this method was considered quite safe in its heyday, hence its widespread use, it is no longer the case.

Why is it so important that companies – and banks, in particular – replace this authentication method?
Unfortunately, this rapid development in technology has been accompanied by an equally rapid development in new forms of crime. Hackers can easily intercept the authentication codes sent by SMS via the mobile network. Moreover, a cyber thief does not always have to go to the trouble of stealing a password; we change SIM cards regularly, and phone numbers are recycled. If you forget to pass your new details on to your service providers, then when you next try to log in, they will send the authentication code to your old phone number, which may well be in someone else’s hands.

The risks are clear, and the fallibility of SMS OTPs is widely known, so why hasn’t this form of verification been eliminated?
In an industry as highly regulated as the banking sector, large-scale technological changes are a major undertaking, not least because banks have a variety of risks to consider when contemplating this kind of transformation. Implementing a new security system is a huge investment for a bank, which doesn’t always guarantee returns. Also, this new technology can unexpectedly disrupt customers – for instance, because of delays in transactions or limited access to banking details – which then negatively impacts customer satisfaction. Another concern for a bank is whether its customers will embrace the new technologies, especially if they are not easy to use. A bank must also carefully choose the right partner to assist it; one that can provide support with everything from integration to compliance. With so many technology partners and potential solutions to choose from, it’s no wonder banks have taken some time to transition from older methods of authentication.

Competing in a disrupted payments market
Despite these concerns, it is undeniably necessary for banks to move away from SMS OTPs and implement more robust security measures. The world is moving forward in terms of technology and security, and banks must do the same. New regulations, such as PSD2 in Europe, require major change. Today’s customers also expect more in terms of the user experience and will look elsewhere if their needs aren’t met. As such, competition for customers is fiercer than ever, with fintechs entering and disrupting the payments market by introducing new levels of security and user-friendliness. If banks want to stay relevant, then they need to keep up with the changing tides.

The dangers of OTPs
We are slowly starting to see a shift from two-step authentication via SMS to other forms of two-step authentication. For example, ING Bank announced earlier this year that they would discontinue the 30-year-old TAN code, and since last May, Facebook has also offered an alternative to two-step authentication via SMS. New regulations are encouraging this transition: European financial institutions, for instance, now have to offer two-step authentication because of the revised Payment Service Directive (PSD2). To be compliant with PSD2, consumers must be able to explicitly authenticate via a second channel, defined in PSD2 as “strong customer authentication” (SCA). SCA means that consumers now identify themselves with at least two of the three possible factors – which essentially amounts to multi-factor authentication. The three authentication factors are something the person knows (e.g. a password), something the person owns (e.g. a card), and something the person is (e.g. a voice or fingerprint). The implementation of SCA is supposed to make it harder for hackers to commit identity fraud.

So how can banks keep up?
Push authentication technology is a proven and effective alternative to SMS OTPs. Analyst firm Gartner expects that this technology will dominate the authentication market within the next two years. Its appeal isn’t surprising – push authentication does not require the user to switch between mobile banking apps, copy or remember pins or passwords, or wait for a message to arrive. With this approach, communication between the bank and the user takes place via an isolated, encrypted channel that is not susceptible to the same external attacks as passwords or SMS OTPs. This practically frictionless and highly secure approach offers huge incentives for financial institutions to migrate from OTPs via SMS. A bank that invests in these types of technologies will see a decrease in digital fraud and happier customers as a result. It will be complying with all relevant regulations by opting for a method that utilizes an out-of-band, encrypted channel for transactions, while simultaneously keeping up with changing times, reinforcing its security and enhancing customer experience. In today’s highly competitive and changeable fintech landscape, banks will need to look to new technologies to capture an up-and-coming generation of loyal customers without sacrificing security.