One-time passwords can give users a unique code that signals to the bank that they’re not thieves who’ve grabbed hold of someone’s password.
One-time passcodes work great for PC users. For example, if you’re doing something potentially risky on a bank’s website, you might be stopped from proceeding until you enter a special code, which you can choose to receive through an “out-of-band” phone call or via email. This works well because even a completely-hacked browser might have trouble answering the phone or reading your email.
By comparison, the principle of using a separate channel for distributing a one-time passcode is violated in the case of mobile devices. A single smartphone may act as the hub for voice calls, SMS messages, emails, browser sessions and mobile banking sessions. Therefore, if a smartphone has been severely compromised, the one-time password could also be intercepted along with the banking session.
For commercial clients and high-net-worth individuals in the U.S., a common approach for banks is the distribution of separate devices capable of generating one-time passcodes. The user may have to authenticate with the device using a smartcard or PIN in order to generate a one-time passcode, or “token.”
Although non-U.S. banks have gone down this road for retail banking customers, it has yet to catch on domestically. “In the U.S. it’s seen as an inconvenience,” says Forrester’s Eve Maler. “In other places it’s seen as a status symbol – or it could turn around and make you a kidnapping target.”
Given the challenge of finding a suitable out-of-band authentication method for a mass market, financial institutions are turning to various solutions that may use the existing device but in intelligent ways that makes it difficult for attackers to intervene. “There are clever solutions out there with interesting security properties and ancillary use cases,” says Maler.