Problems and Vulnerability of One-Time Passwords over SMS

3 min readJul 25, 2017


by Joe McDonald

Modern hackers are sophisticated, but much of the technology to ward them off is not. One-time passwords (OTPs) over short message service (SMS) were introduced as a more convenient method of authenticating users, but it didn’t take hackers long to crack them. They are no longer considered secure because they’ve been heavily attacked in recent years.

One-time passwords sent over SMS (text messages) were designed to prevent replay attacks and add an additional layer of log on security. A unique password or code is sent to the user via text, and that code must be entered along with a traditional username and password combination to allow access to a site or authorize a transaction. That sounds secure in theory, but OTP over SMS is vulnerable.

Why OTPs over SMS are no longer secure

To further explore this issue, we consulted a scholarly paper written by researchers at Northeastern University and Technische Universit at Berlin. “SMS-Based One-Time Passwords: Attacks and Defense,” published in 2013, takes a broad but in-depth look at the security risks surrounding OTP over SMS.

Researchers analyzed the security architecture of OTPs via SMS and studied recent attacks. They came to the conclusion that the method of authentication is no longer secure for two distinct reasons:

  • The two foundations on which OTP over SMS is built — cellular networks and mobile handsets — were completely different when the method was introduced. Security depends on the confidentiality of text messages and the security of the network, neither of which can be guaranteed.
  • Hackers have created specialized Trojans to get around OTP over SMS security. These trojans hijack mobile phones,. No one has studied this weakness in depth or offered a solution, the paper said.

Beyond just this one report, the vulnerabilities of OTP over SMS have emerged as a popular topic of discussion in the wake of recent high-profile data breaches. Security experts have stressed the need for stronger forms of multi-factor authentication instead, but many companies have ignored those warnings.

A better alternative: stronger multi-factor authentication

OTP over SMS is a form of multi-factor authentication. Multi-factor is considered stronger than simple username and password combos because the user must meet: 1) Something you know (i.e. a username/password) and 2) Something you have (the device). In some cases, a third authenticating factor is required.

Multi-factor authentication is not a new concept. For example an ATM requires two-factor authentication: the card as something you have and the PIN as something you know. Many websites, particularly in banking, have recently begun using OTP over SMS.

What is lost on some companies is that there are many ways to go about multi-factor authentication — and not all are equally secure. There are ways to approach multi-factor that are far more secure than one-time passwords over text. Those include authentication via a secure mobile app or a physical token. New vendors that provide these services are quickly entering the market.

WWPass offers a new approach to strong multi-factor authentication for businesses. WWPass does not rely on usernames and passwords. Authentication process always starts with ‘something you have’ as a first factor. Customers can choose between a secure mobile authenticator called WWPass PassKey or a physical token. Then PIN or biometrics is added as a second factor. No personal data is stored on the PassKey itself. In addition, WWpass encrypts, fragments and disperses all of the credential data across the cloud in 12 locations. Even if some servers are hacked, attackers can’t get all the puzzle pieces they need to do harm.




Experts in multi-factor authentication and client-side encryption. Keeping businesses safe since 2008.