Generation has changed, we are living in a digital age, the digital age is characterized by technologies that increase the speed and breadth of knowledge turnover within the economy and society, where most of our important transactions are done ‘online’ or through the internet. Financial transactions through online or electronic mode are gaining traction in India. According to data updated by the National Payments Corporation of India (NPCI), the emerging value of transactions through the Unified Payments Interface (UPI), a payment digital mode.
One such method for securing financial transactions is One-Time Password or OTP. OTP systems provide a mechanism for logging into a network or service using a unique password. As the name suggests, this password can only be used once and valid for a time of period.
While doing financial transactions through net banking, a person needs to fill in all the details like bank account number, debit/credit card details and banking password. At the end, a system-generated password is sent to the user’s registered mobile number and registered email address to verify the transaction.
Banks warn their customers against sharing this OTP with anyone via message or e-mail. Even a stranger can call and ask for an OTP in the name of the bank, but the user should not share them with anyone. Getting information about OTP is considered a crime. Even the bank does not ask for OTP from customers, it’s their own security and responsibility to keep it secure. Let us provide detailed information about it.
What is OTP and 2-step Verification?
One-time passwords (OTPs) are an authentication method generally used in the areas of two-factor identification (2FA) and multi-factor authentication (MFA) that can help balance these needs. OTP is a unique password which is valid only for one login session for a specified period of time. Since OTPs are not reusable, they overcome many of the shortcomings of traditional (static) passwords without being vulnerable to hacking attacks.
Where is it used?
OTP is a security code, which is 4 or 6 digits and is used for online transactions. When we buy products from an e-commerce company, we pay for it through our credit/debit card or netbanking. After filling your banking details while making payment, finally, a security code is sent to your bank registered mobile number via SMS. This 6-digit security code is called OTP. Your digital payment will be successful only after entering the security code received via SMS.
Unique information about OTP
The unique criteria of OTP is that the code generated from it is used only once. It is valid for one time only. If we don’t use the code within a certain period, it will expire. That is, every time we make an online transaction, these codes are generated separately so that our account is completely secure. Even if someone gets your username and password, they won’t be able to use it because the OTP will be required which will come only on your registered mobile number or your email id.
How are one-time passwords synchronized?
One-time passwords can be created in a variety of ways, and each has trade-offs in terms of security, convenience, and cost.
-
Time synchronization
One method of generating one-time passwords is to use time synchronization. Each user has a personal token (which may look like a small calculator or a keychain) with a display showing a number that changes periodically. Inside the private token is a clock that is synchronized with the proprietary authentication server’s clock. Both the device and the application server generate new one-time passwords based on a numeric version of the current time.
Time-synchronized passwords don’t always have to be a perfect match, and there’s usually a window where the old or new password will be accepted. This is done because it takes some time for people to read and enter the OTP, so, for example, it would be unusual to change the password every second, because there would not be enough time to enter the password before the end user. It becomes illegal.
2. Lock – Step
In the second method the computer system and the token start with the same shared number (called a seed). The token device increments its own internal counter each time a new password is generated, and the server increments its counter each time you actually log in.
It is possible to exit the step by generating an unused password, which causes the token’s counter to advance more than the application server’s counter. However, the tolerance is usually built in so that things can be slightly out of sync, and the server will (usually) automatically resynchronize in the event that it gets out of step.
This OTP technique is called lock-step or counter synchronization, and although proprietary hardware is still required, it does not suffer from the inconvenience of keeping clocks in time.
3. Transmission Based OTP
The third method is completely different. Instead of two devices being independently responsible for their own passwords (which are then compared for validity), the passwords are randomly generated by the authentication server. Since this password is completely random, it is not possible for a token device to automatically step in, so the one-time password needs to be actively communicated to the end user.
These types of disposable passwords are often referred to as “SMS-OTP” because they are usually sent via text message, but they can also be generated by an app or handheld electronic device (called a security token), or in some cases they can even be printed and mailed. When you want to authenticate, the system sends you your password and you use the password to log in. A huge advantage of this approach is that it eliminates the need to supply and maintain proprietary hardware .