One Time Passwords (OTP) along with pins and codes were originally designed to be used as a second factor of authentication to the humble and flailing password. However, over time, like passwords, OTP’s have also become weak as hackers turned their attention toward breaking them, yet they are both very much still with us.
Dedicated hardware biometrics can be highly secure, but also error-prone and expensive, hence hardly used. SMS based OTP is still popular for consumer services as it is very easy and quick to deploy even though it has major security weaknesses. Push authentication is more popular with enterprises as it strikes a good balance but isn’t perfect as it required an enrolled smartphone and can suffer from connectivity issues. Passwords, on the other hand, are perceived as free, but actually have a very high cost and low security if not managed correctly. For example, if you are still enforcing a complex password, you are doing it wrong.
The balance between usability, security and cost is critical and some will place higher importance on one versus another. All these authentication methods fall into a few “factors”, typically something you have (possession), something you are (inherence) and something you know (knowledge). Possession factors can be costly and inconvenient as people don’t want to carry around extra stuff and they may be reluctant to use their own personal items, like a smartphone. Inherence solves that problem, but you need a biometric reader to prove who they are, which could be a reader in a smartphone or an expensive dedicated hardware reader. Knowledge factors are often dismissed as a viable option due to the assumption that a password is the only option. Passwords can be kept relatively secure and cost-effective by following the 2017 NIST guidelines and proper management. Other alternative knowledge factors exist too such as security questions and grid pattern authentication, which are too often overlooked.
While there is no silver bullet to the problem of how to securely, cheaply and easily to log somebody in, there are many options available to choose from to get the best set of tools for the job at hand.
