The one-time password (OTP) has long been hailed as the silver bullet for combating fraud resulting from the compromise of static information such as user IDs, passwords, card numbers, and expiration dates. It empowers customers to protect themselves against unauthorized transactions across e-commerce, internet, and mobile banking platforms. Widely adopted across various sectors, OTP serves as a crucial security measure for safeguarding customer accounts and transactions.

Originally consisting of 4 digits, OTPs have evolved into 6-digit and 8-digit codes, with the validity period continuously decreasing to thwart attempts by fraudsters. Some organizations have even implemented split OTPs, where one half is sent to the email address associated with the account and the other half to the registered mobile number. Additionally, there's a growing trend of sending OTPs via email in password-protected PDFs.

The widespread adoption of OTPs not only bolstered security but also provided an added revenue stream for telecom companies. In India alone, an estimated 1 billion OTPs are sent daily, totalling 30 billion in a month and a staggering 360 billion in a year.

So, if it’s so widely used, what’s the problem? Why would the Reserve Bank of India want organizations to implement alternative authentication mechanisms? Here are five common issues with OTPs:

1. Vulnerability to Social Engineering: Fraudsters have become adept at manipulating individuals through social engineering tactics to obtain OTPs.

2. Ineffectiveness Against Authorized Push Payment Fraud: OTPs are ineffective when customers themselves unknowingly authorize transactions to fraudsters.

3. Potential for OTP Theft: Technologies exist that can steal OTPs from mobile devices without the customer's knowledge, compromising their security.

4. Accessibility Issues: Customers may face difficulties accessing OTPs when traveling if they don't have roaming access on their mobile devices. OTPs sent via email pose a higher risk of compromise.

5. Friction in Customer Experience: Requiring OTP for every interaction can add unnecessary friction to the user experience, especially if the customer extensively uses the same device for transactions.

In summary, while OTPs have been widely adopted as a security measure, they are not without their shortcomings, and their effectiveness can be compromised by numerous factors such as social engineering, technological vulnerabilities, and accessibility issues.

The recent announcement by the Reserve Bank of India expressing a preference for principle-based alternate authentication mechanisms to secure transactions is a welcome step towards bolstering the security of digital transactions. A concerning report by the Ministry of Home Affairs revealed over 65,000 cases of cyber fraud reported in 2022 alone. However, this figure likely underestimates the true extent of cybercrime, indicating a pressing need for more effective measures beyond OTPs.

Organizations are increasingly recognizing the importance of ensuring that digital transactions are initiated by the genuine customer and that the customer is fully aware and in control of their actions, mitigating risks from social engineering and authorized push payment frauds. Several alternative approaches can achieve this, which would also have been the RBI’s intent when it stated its preference for principle-based alternate authentication mechanisms to enhance transaction security. Some alternatives include:

1. Trusted Device Verification: Establishing trust in the device involves verifying the registered mobile number, authenticating the customer's identity through original documentation, and employing facial recognition technology to match the customer's face with the ID photo. Once completed, all transactions from the trusted device are considered secure. Any new device registration undergoes the same rigorous process. Advanced technologies can also defend against deepfake videos. Interactions on devices outside of the trusted list require additional authentication, such as scanning a QR code from a mobile app or confirming an in-app push notification.

2. Customer Profiling: Building customer profiles based on user and account behaviour can determine whether the activity is driven by a genuine user or part of an automated attack. Every user has a distinct digital behaviour - from the way they hold their phone to how they click, scroll, navigate, and apply typing pressure on a screen. Any deviations from typical behaviour patterns trigger enhanced authentication measures through the mobile banking app, including detailed transaction information and automated callouts.

3. Access Point Authentication & Validation: Detecting unusual accesses involves mapping cross-channel interactions. For example, monitoring the use of a debit card in one location while accessing the account from a location 200 kilometres away within a short timeframe raises red flags. Other suspicious activities include using the same device to access multiple unrelated accounts, accessing accounts from devices or IP subnets associated with past fraud incidents, and detecting the presence of malware or screen-sharing apps during active banking sessions.

4. In-App Notifications: Leveraging in-app notifications can reduce reliance on SMS messages for OTP delivery, saving costs and ensuring functionality even when customers are traveling and using Wi-Fi connections.

5. Customer Empowerment: Banking apps can empower customers by providing options to block their cards or e-commerce transactions during certain periods. Unlocking these features is restricted to the banking app on a trusted device, adding a layer of security.

By implementing these alternative authentication measures, organizations can significantly enhance the security of digital transactions while providing customers with a seamless and secure banking experience.