SMS one-time-password (OTP) is a well-known, simple form of authentication. It enables users to authenticate themselves with a dynamic code that is sent to them via an SMS message. Often used for 2FA (two-factor authentication), SMS OTP is commonly used as a second factor necessary for gaining access to a particular network or service, usually combined with a static PIN/password. Although two passwords are better than one, SMS OTP is not considered the most reliable method for verifying identity. That is due to an array of risks revolving around the method, some of which include: SIM swapping, SIM hacking, intercepting the message, account takeover, etc.
Until recently, SMS OTP was one of the most convenient ways of authenticating an online transaction or logging into a payment account. The user would simply enter the received OTP into their payment application and approve the transaction. In such cases, SMS OTP commonly contains additional information regarding the transaction, including the transaction amount and the payment beneficiary. To conduct 2FA, banks and payment service providers combine static PINs and SMS OTP, PIN being a knowledge element, and SMS OTP representing a possession factor.
The second payment services directive (PSD2) enforces Strong Customer Authentication, demanding online payments to be authenticated using two out of three security elements. Those elements include Knowledge (something you know, a PIN or a password), Possession (something you own, a smartphone, for instance), and Inherence (something you are, e.i. biometric authentication). By definition, SMS OTP, which is recognized as a possession element, combined with a static PIN/password, is an acceptable authentication method conforming to the PSD2 SCA requirement. SMS OTP alone is not considered a possession element but rather the SIM card that is associated with the respective mobile number.
EBA's opinion on the matter is as follows:
For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.
In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of the Delegated Regulation, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of this Delegated Regulation. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.
To conclude, SMS OTP is PSD2 compliant when combined with a static PIN/password or another authentication method considered as either knowledge or inherence security element.
However, SMS OTP is subject to a variety of security concerns. As mentioned earlier, a considerable amount of risk revolves around using SMS as a channel, primarily because of possible interception of the message and man-in-the-middle attacks. Further on, SIM swaps performed in order to receive the message originally sent to the victim, containing OTP, present a threat. Being a well-known authentication method, used in the past decades, fraudsters are equipped with more than enough knowledge necessary to crack the system.
Although SMS OTP is PSD2 SCA compliant, EBA's opinion on the matter is a bit more complex. Another component introduced by PSD2 raised questions about SMS OTP compliance, that being Dynamic Linking.
Dynamic linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent man-in-the-middle and similar attacks by connecting the transaction amount or order details to the authentication code being sent to the user. If any of the information is altered, a new authentication code will be generated, and the fraudulent attempt would fail. One of the requirements of Dynamic Linking states that the payment information must be protected.
EBA's opinion on the matter is as follows:
In addition, regardless of whether a strong customer authentication element is possession, knowledge or inherence, Article 22(1) of the Delegated Regulation requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the Delegated Regulation states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.
Since we are talking about an SS7 - telephony signaling protocol, which is not considered secure, any information regarding the transaction amount or the order details presented in the SMS would have to be encrypted. Decryption of the content would require a significant amount of effort on the user side, cause confusion, and in the end, create a lot of friction. The conclusion drawn from EBA's opinion is that SMS OTP for Dynamic Linking is not PSD2 compliant unless the content of the message is not protected with additional encryption or sent through a secure channel.
Although SMS OTP is a widely known authentication method, it should be used with caution and considered an alternative authentication method rather than a standard one. Enabling SMS OTP as a fallback method is considered good practice; if all else fails, you can rely on SMS OTP. Another tip is to consider delivering OTP through a more secure channel. Most banks have their own mobile applications which use secure TLS/HTTPS protocols to communicate with the server. Also, if the population is considered as less tech-savvy, i.e., the older population which is not used to smartphones, they will appreciate the option to use SMS OTP as one of their primary methods of authentication.