Skip navigation
Balancing Convenience and Caution with One-Time Passwords
Product & Engineering

Balancing Convenience and Caution with One-Time Passwords

From chat rooms, to emails, to bank accounts, to medical information, proving that someone is who they say they are is a continuously evolving challenge. One-time passwords (OTPs) have become mainstream because a randomly generated one-time use code solves many of the security problems associated with a static password associated with a static account. However, recent trends show that bad actors are targeting organizations by using OTPs in phishing attacks.

Let’s review what one-time passwords are, how phishing takes advantage of them, and how multi-factor authentication can help mitigate this risk.

What is a One-Time Password?

A one-time password is a randomly, automatically generated code that is sent to a known device of a user trying to log in. With an OTP, a user must authenticate by entering a code either sent to or generated from their device into the input screen they’re trying to access. 

How Phishing Attacks Can Capture OTPs

Attackers may gain access to a user’s account by sending a phishing email that contains a link to a familiar login page. The login page asks for a username and password and then redirects the user to a fake authentication page that mimics the look and feel of well-known OTP providers. Here, the user is prompted to generate a one-time passcode and then provide it on a fake OTP page. The attacker then possesses the user’s primary credentials and the generated code that will allow them to gain access to the account.

Cisco Talos recently observed instances of a scenario like this, executed with fake Duo authentication pages as well as other access providers.

Quick Tips to Mitigate Risk Around OTPs

  • Check your OTP settings and only enable OTP if required.

  • When applicable, encourage users to use other authentication options, such as security keys.

  • Educate your users about security hygiene topics, like confirming whether an email or website is legitimate, or rejecting a fraudulent request:

  • Check the links and URLs in any message asking you to enter credentials. 

    • Is the URL secure (https)? 

    • Do the links go to your official organization (for example, domain ending in .edu for academics)? 

    • Does the authentication site go to (or whatever access provider your organization uses)?

  • Deny any suspicious authorization request.

    • Did you request this access to the stated application?

    • Is the request coming from your location?

  • For Duo users specifically, Duo Mobile offers the ability to generate a one-time passcode. The primary use case is offline 2FA access. If you don’t have a need for offline access in your organization, Duo strongly recommends checking what your settings are and turning this feature off

  • Whenever possible, train your community to use Security Keys or Duo Push through the app. These are the most secure remote authentication options, as illustrated below.

A flow of security authentication methods, from low level of assurance (voice) to high level of assurance (WebAuthn).

If you have any questions about this trend or what Duo can do to help protect you and your applications, please contact Duo Support.