Skip navigation
Woman holding a mobile phone, overlaid with a color filter of Duo green
Industry News

The Problem With One-Time Passcodes

What are OTPs (one-time passcodes)?

As organizations have improved their security posture, cybercriminals have found new ways to circumvent those controls. Multi-factor authentication (MFA) is a well-known and well-established protection that many organizations rely on. And that also makes it a target for cybercriminals. Therefore, it is not enough to have MFA turned on, organizations must also deploy secure policies to ensure their users are protected.

Several common authentication methods include the use of one-time passcodes (OTP). Normally these codes are sent through “out-of-band communications,” meaning it is sent through a different channel than the website you are trying to access. For example, if you are logging into an application in a web browser, the OTP might be sent through to your email, through SMS text (short message service), delivered as a voice message, or through a dedicated application. The benefit of these codes is that they are random numbers, so they can be difficult to guess, and they cannot be reused across a user’s different accounts (like passwords typically are).

Problems with OTPs:

However, MFA Interception is a way for bad actors to exploit the passcode and gain access. There are different ways bad actors have intercepted MFA passcodes. Some methods include:

  • SIM Swapping: The attacker uses social engineering to convince a cell phone provider to switch the number to the attacker’s SIM card to gain access to the OTP sent to the trusted user.

  • Brute Force Attacks: Since there is a one in a million chance to guess a random six-digit code, attackers can automate scripts to speed up the process and do it across many users to increase their odds. If the OTP only requires two digits (which can be configured by your organization), that increases the odds to one in one hundred chances of successfully guessing.

  • Phishing: An attacker sends a user a link to a fake website to capture the user’s username and password. The trusted user enters the OTP in the fake website while the attacker simultaneously enters the same OTP into the real website, gaining full access.

  • Social Engineering: An attacker logs in with a user’s credentials and the real user gets sent an OTP. The attacker then calls the user, and says "This is your helpdesk, I need to confirm your account, can you please confirm your OTP?" The user then reads the OTP to the attacker who gains full access.

To make matters worse, much of these capabilities can be purchased or contracted out, where launching an attack to capture and use OTPs codes is as simple as sending bitcoin and providing an email address to target.

How to secure MFA

While there are many problems with OTPs, they are still better than no MFA and there should be some form of additional authentication across all users and applications. There are also alternative options to consider if you are looking to improve your organization’s security posture.

Verified Duo Push is one option that might seem like an OTP but operates in a more secure manner. Rather than sending the user a code to their phone that they enter on their computer, a Verified Duo Push shows the code on the access device (e.g., a computer) and the user inputs that code in the Duo Mobile application. In an attack scenario, the code is presented to the attacker, and not the trusted user, so there is no risk of the attacker stealing it from the trusted user. For the attack to succeed, the trusted user would have to know the code and enter it in the Duo application that is associated with the account.

While a Verified Duo Push requires a user to enter the code at every login, organizations can also deploy Duo’s Risk-Based Authentication solution that analyzes contextual signals at the point of login and can step up to a Verified Duo Push if there is a potential attack on a user.

Passwordless authentication, which uses WebAuthn credentials, is another safe alternative to OTP. This removes the password from the equation and requires you to use a biometric or security key to authenticate. The private key, stored on your computer, unlocks a public key stored in the application. Since the private key lives on the device, it cannot be intercepted by an attacker.

Finally, Trusted Endpoints ensures only safe and known devices can log in. This prevents an attacker on their device from even beginning a login in the first place. It combines both authentication and device policies to provide holistic protection for users.

To learn more about Duo’s secure MFA solution, sign-up for a free trial today.