Unnati Khushlani, September 25, 2020

The importance of OTP and 2 factor authentication for customer security

As has been said over and over, Cybersafety is crucial, and passwords play a big role in that. However, there are laid-out practices that allow for successful and efficient use of passwords: for example, the use of a password with a combination of alphanumeric and special characters. According to recent surveys and studies, about 40% of consumers admit to having had a security incident – for example, having their passwords stolen.

As an organization, imagine if your employee's password falls under the wrong hands?

Unauthorized access to your critical information must be your biggest worry. Now, imagine a scenario where you require more than a password to access that critical information, that is, the holder of the password needs to be verified; relieved, right? That is where OTP and two-factor authentication comes in. With these two security mechanisms, account holders are timely verified and authenticated before they are allowed access to an account.

So, what is OTP, and what is 2FA?

What does OTP stand for? A one-time password (OTP), also referred to as a dynamic password, is a string of auto-generated characters or numbers used for a single login attempt or transaction. The OTP is sent to the account user via an SMS, email, or push notification. A generated OTP is only valid for a short period.

The primary purpose of having an OTP process is to add an extra layer of authentication to your web-based service, to protect against fraudulent login attempts. An OTP is more secure than the regular static passwords, especially those that are generated by the user – which can be weak or associated with more than one account.

How does the OTP process work?

Many may get confused between what is OTP authentication and what is OTP verification. An OTP mechanism has an authentication server, which is part of the system that a user is trying to access. When a user enters their account details or triggers a transaction, the system verifies the information and prompts for a One Time Password or an OTP. The OTP itself is generated by the authentication server and sent to the user via an SMS or email. When a user feeds in the OTP, the server verifies it, and grants access to the user. Apart from being sent as an SMS or email, an OTP can also be delivered via a Push notification.

### Advantages of OTP

  1. It is safe from replay attacks: The main advantage of an OTP over a static password is its immunity to replay attacks; in the sense that if an attacker gains access to your OTP, they cannot reuse it because the password automatically becomes invalid after use.
  2. It is convenient to use: OTP primarily uses SMS; and since most users have access to SMS through their phones, OTP becomes a very convenient mechanism to implement.

What is 2 Factor Authentication?

When you are only required to enter your login details – username and password – to access an account, the authentication mechanism in use is referred to as a one-factor authentication. A two-factor authentication (2FA) introduces an extra layer of authentication that verifies whoever is trying to log in; for example, an OTP is a form of two-factor authentication.

This extra layer of authentication makes it harder for unauthorized parties with stolen login details to gain access to the victim’s account because having login details alone is not enough to gain access. 2FA has long been used to manage access to critical systems or information. Take Gmail for instance, whenever there is a login attempt from a new device or browser to a Gmail account by a user who has opted in for 2FA, an OTP is generated in addition to the login details and sent to the owner of the account via a call or text for them to verify the login.

How does 2FA work?

The way 2FA works is similar to your existing login procedure. The only difference is that an additional piece of information is required to compliment your username and password. This piece of information may be in the form of an OTP or code in an app such as Google Authenticator.

To illustrate how a 2FA authentication works, let us have a scenario where a banking institution implements a 2FA in all of its online transactions. In this case, whenever an account holder triggers an online transaction, the bank generates a code that is sent to the customer via their registered phone number or email address. The customer enters the code to authenticate the transaction.

Apart from OTPs, a 2FA authentication also uses a security mechanism such as security questions or biometrics.

### Benefits of 2- Factor Authorization

The following are reasons why you should implement a 2FA in your online accounts.

  1. Advanced security: A 2FA adds a much needed extra layer of security to your system. This means that if login details to your account or that of your customers are stolen, something that happens more often than you might think, the perpetrators will not be able to gain access to the account because it is very unlikely they will have access to your phone or email address too.
  2. Lower cost of security management: In the face of heightened cyber threats, organizations spend huge resources on security practices. 2FA provides a very simple, cost-effective, and efficient way for organizations to handle their security concerns.

Examples of 2FA employed by popular brands

  1. SecureCode by MasterCard: MasterCard SecureCode is a 2FA mechanism that provides an extra layer of security for credit or debit cardholders participating in online transactions. The service is provided by the card-issuing bank.

While shopping online at a participating merchant, a MasterCard holder enters their details during checkout. After entering card details, the user receives a SecureCode from their bank, which they feed into the payment platform for the transaction to be validated.

  1. Google Authenticator: This is a software-based 2FA authenticator by Google that uses both time-based and HMAC-based OTP algorithms to authenticate login attempts. When logging in to a web service that implements Google Authenticator, the authenticator generates a six- to eight-digit OTP which is sent to the user to use together with their usual login details.


2FA is an essential security mechanism that prevents unauthorized access to web-based accounts. Although adding an extra layer of security might seem inconvenient, it will be much inconvenient when an impersonator gains access to your critical system or information; and we at MSG91 are here to offer you guidelines on the importance of 2FA, and a solution!

SendOTP is a top-notch two-factor authentication service from MSG91. Unlike regular OTPs, SendOTP uses both SMS and voice platforms with a backup to manage verification processes, with a success rate of 99%. SendOTP is available for both Android and iOS platforms. It is also available as an API. Reach out to us to know more.