How 1-Time Passcodes Create Cyber Risk

Authentication vulnerabilities

Businesses can’t take a set-it-and-forget-it approach to cyber security if they actually want to stay protected. Cyber security best practices are constantly evolving as cyber criminals find new and creative ways to launch attacks, infiltrate networks, and steal money and data. Simple digital security measures just won’t cut it anymore — and in fact, using outdated authentication measures and protocols can actually create more cyber risk for companies and individuals. 1-time passcodes are an example of an authentication method that actually increases a company’s vulnerability to cyber attacks. After all, an enterprise is only as safe as its weakest protection, and 1-time passcodes are so easily hackable that you may as well just invite cyber criminals inside your network. Here’s what you need to know about the cyber security crisis created by 1-time passcodes and how you can keep your accounts safe.

What is a 1-time passcode? 

A 1-time passcode (OTP) — also known as a one-time password, one-time PIN, one-time authorization code, or a dynamic password — is exactly what it sounds like: a passcode, password, or PIN that is valid for only one login session. OTPs can be used as an authentication method for accounts, devices, or computer systems. In theory, OTPs address the potential risks of a static password because they prevent users from re-using passwords, choosing weak passwords, or mismanaging their password privacy. For this reason, implementing OTPs on company accounts, devices, or systems might seem appealing to businesses that are eager to prevent cyber attacks caused by human error on the part of employees. However, OTPs actually open up increased potential for human error by creating an easy mechanism for phishing attacks (more on this below). 1-time passwords are a possession-based form of authentication. What this means is that they verify a user’s identity by having them prove that they have a particular device — usually a smartphone — in their possession. Most OTPs are sent through authenticator apps like Google Authenticator, Microsoft Authenticator, and similar.

Why businesses need MFA

One-time passcodes are one of many authentication types. Simple usernames and passwords used to be the end-all-be-all protection on accounts, but this type of singular authentication is notoriously easy to bypass. Modern businesses and internet users should implement multiple types of authentication — also known as multi-factor authentication (MFA) — on all accounts, devices, and systems in order to comply with cyber security best practices. 

In short, MFA is one of the easiest ways for businesses to shore up their digital security — but it’s not quite as simple as it sounds. It’s also crucial for organizations to consider the strength of the authentication types they choose to protect their accounts. 

How MFA falls short

Not all authentication methods are created equal.

And even if you opt for strong authentication methods but you set backup authentication options that are weaker than your primary authentication — such as allowing users to input a PIN number when biometric authentication is unavailable — then cyber criminals can simply override your strong MFA and breach your accounts by exploiting the weaker backup authentication options.

Unfortunately, experts believe that as much as 90-95% of companies are still using outdated MFA methods that are phish-able. That’s why it’s crucial for organizations to take stock of their authentication methods and shore up security on all accounts and systems — or to partner with a reliable cyber security provider like IronVest who can keep security up-to-date without any action needed on the part of the business.

1-time passcodes and phishing

How exactly do one-time passwords create vulnerability for businesses? In short, all SMS-based forms of authentication provide opportunities for scammers to interact directly with employees, opening up the door for social engineering and phishing attacks. 

Recent waves of cyber attacks targeting OTP vulnerabilities have looked like this: Cyber criminals send out SMS phishing messages en masse hoping to trick at least one person into clicking on a fraudulent link or sending a one-time PIN — because all it takes is one single human error to compromise a business’s entire system. 

These criminals send fraudulent login links or ask employees to send the 1-time passcode provided by their authenticator app, which the cyber criminal then immediately uses to enter business accounts and commit fraud. This very low-skill method of hacking has compromised a significant number of businesses and resulted in significant financial losses and data breaches.

OTP failures in the media

This year, there have been a series of significant cyber attacks exploiting 1-time passwords on company accounts. Here are a few noteworthy events:

• In August, popular food delivery service DoorDash released a statement on their website detailing a phishing attacked leveraged against one of their vendors that gave hackers access to some of DoorDash’s data. 

• This attack was similar to the one leveraged against T-Mobile, in which multiple employees at the phone provider fell for the scam and provided their business account login credentials in fraudulent phishing links.

• A tech company called Twilio that offer programmable communication tools also reported a social engineering incident that led to an unauthorized data breach of customer account details. 

And these are only the tip of the iceberg — numerous other companies have been targeted by cyber attacks exploiting OTP authentication vulnerabilities as hackers look for every possible opportunity to capitalize on outdated account protections.

How OTP can make your business vulnerable

All it takes is one vulnerability for an attacker to do irreparable damage to a company. 

Using OTP on any account creates a potential entry point for criminals — and even large companies like DoorDash and T-Mobile have fallen prey to these types of cyber attacks. Small to medium-sized businesses (SMBs) are especially vulnerable because a singular event of this kind could have an irreparable effect on their finances as well as brand trust. 

How to improve corporate account security

Corporate account security starts with individual employees. In the same way that company accounts are only as strong as the weakest type of authentication, a network is also only as secure as the least-informed employee who uses it.

Additionally, companies should have MFA on all accounts, devices, and systems — but they should choose the types of authentication wisely. Steer clear of all SMS-based authentication and elect for stronger cyber protection options like biometrics.

Educate employees and establish protocols

Employee trainings are necessary for companies to avoid cyber attacks caused by human error such as social engineering and phishing. It’s also important to establish company-wide cyber security protocols that employees at all levels of the company are expected to follow, both in their internal day-to-day work as well as external interactions with clients and partners.

Phishing is an extremely common type of cyber attack leveraged toward businesses because this type of cyber crime is so easy to commit. No sophisticated programs are involved; instead, scammers simply rely on employees willfully offering up login credentials so they can enter a company’s network through the front door.

That said, there are some of the basic cyber security best practices that businesses should train their employees on:

• Never giving away OTPs - especially not via text or email

• Identifying suspicious messages that might indicate a scam

• Spotting potentially fraudulent links and never clicking on them

• Managing passwords safely and practicing good password hygiene

• Keeping all browsers, systems, and apps up-to-date

• Safeguarding all personal and business devices

Remove all SMS-based authentication

None of your corporate accounts should have any form of SMS authentication, whether that’s OTPs or something else. Full stop.

Even if SMS authentication is offered as a primary or backup MFA option on an account, businesses should inform employees about the dangers and instruct them never to use SMS-based authentication measures.

Implement biometric authentication

When it comes to choosing the most secure authentication method for corporate accounts, biometrics are miles ahead.

Unsurprisingly, though, not all biometric authentication types are created equal. At IronVest, we approach biometric authentication in a unique way in order to stay ahead of new vulnerabilities and increasingly complex cyber attacks.

Most providers approach digital security with a one-time authentication at login that puts all the effort into securing just that one step rather than the entire interaction, which leaves a lot of room for attacks to happen. On the other hand, IronVest follows a zero trust architecture to fully authenticate and verify every single access request, capturing a user’s facial biometric continuously throughout their session rather than just once at the login stage.

Click here to learn more about what makes IronVest’s biometric authentication so secure.