Why do I need to use One Time Passwords?

Must we forever put up with those extra layers of security...

Monday, 6 April, 2020

In the quirky American cloning drama Living With Yourself, one of the two identical main protagonists is asked “How can you be sure that you are you?”

It’s a question which has vexed online ecommerce platforms and financial institutions for many years.

Just because an internet user gives their name as John Smith and has John Smith’s debit card number doesn’t mean they’re actually John Smith.

Anyone could have stolen Mr Smith’s wallet, hacked into his online accounts or harvested his details from a compromised bank database.

As such, proving your identity online increasingly relies on two-factor authentication.

This describes a process where two different devices are used to confirm someone’s true identity, providing an additional layer of account security.

A hacker might have compromised Mr Smith’s online bank account, or stolen his phone, but they’re unlikely to have accomplished both simultaneously.

(If you have lost both your wallet and your phone recently, your first calls after notifying the police should be to any financial institutions you have accounts with.)

One more Time

Because it’s unlikely a criminal will have simultaneously accessed a person’s phone and their online account data, One Time Passwords represent a reliable method of ID confirmation.

Early incarnations included pocket-sized card readers for online banking accounts.

Today. asking a person to confirm their identity on a new computer or while authorising payment through an internet portal often involves a text message being sent to their phone.

Although every mobile phone supports SMS, you can sometimes get One Time Passwords delivered to a landline as a voice message – or even via email, if a phone is unavailable.

The password is typically a randomly-generated four or six-digit PIN code.

A dedicated field in the browser window will request its entry within a specified period of time – usually between two and five minutes.

If the OTP entered into the browser matches the one submitted by SMS, the user is granted access.

The password is automatically invalidated so it can’t be used again, making it far safer than a static password which could potentially be acquired and misused at any time.

I’ll pass, thanks

Of course, One Time Passwords aren’t without their flaws.

They slow down online transactions, adding an extra layer of inconvenience as you scramble around looking for your phone.

Texts occasionally take so long to arrive that they’ve expired on delivery and the browser refuses to accept them.

Many browsers display a “seconds remaining” countdown clock beside the OTP field, which is stress-inducing if the text isn’t instantly delivered.

And if the OTP is incorrectly entered three times, the account may be disabled – far from convenient if you’re attempting to do something important or time-critical.

Nonetheless, the One Time Password system remains a valuable tool for reducing fraud, convincing the authorities that you really are who you say you are…

Neil Cumins author picture


Neil is our resident tech expert. He's written guides on loads of broadband head-scratchers and is determined to solve all your technology problems!