The FIDO Alliance, which recognizes the usefulness of the one-time password, is concerned about the very model of the password, not immune to hacking.
This little six-digit access code, called a one-time password, is admittedly very handy for authenticating yourself on an online service, or for confirming a transaction with your bank, for example. While it is popular and very useful, it suffers from one limitation: the password leaves traces. The FIDO Alliance, renowned for its authentication solutions and protocols, continues to advocate for standards to reduce our dependence on passwords. She explains herself on the subject.
The one-time password suffers from the same limitations as the traditional password
Even though there is a security scale that depends on factors such as the length or variety of characters, even the most complex password can be attacked roundly, or be stolen from a corrupted database. , then exposed. This password can be found on the dark web, where hackers exchange it for pennies or euros.
From there, Andrew Shikiar, Executive Director of the FIDO Alliance, tells us that “ any form of multi-factor authentication is preferable to using passwords alone “. According to him, this technique will allow ” thwart the majority of the most common ranged attacks, such as the phishing
“.
One might think that one-time passwords are an enhanced security solution. As a reminder, this is a unique code, usually six digits, sent by SMS or via authentication applications, which allows the identity of the user to be verified. ” These forms of multi-factor authentication are very popular, because they use readily available technology. », Explains Andrew Shikiar. Except that in the end, the one-time password suffers from the same flaws and limitations as the traditional password. ” It is still a form of knowledge-based authentication, which relies on the user entering human-readable text that must match the “secret” on a server. “
Favor authentication methods without a password
Duration is the major difference between single and traditional passwords. But the first cities, with a short lifespan, can also be manipulated by pirates, ” either through phishing attacks (where hackers set up a realistic-looking spoof of a site that forwards the code to the real site in the background so that they can take control of an account of ‘user), either by technical means such as “SIM Swapping”, or SIM redirection software, which they can easily get on the dark web for a fistful of dollars », Details Andrew Shikiar.
To be fully effective and secure, multi-factor authentication must first and foremost, according to the FIDO Alliance, be based on ownership, rather than on something the user knows, like the password. A biometric card, a smart card or a security key have this advantage of possession. ” Smart cards store a user’s identification information and PIN code. »They serve as a key to authenticate the user on the card when the PIN code is entered.
Andrew Shikiar adds that password-less, possession-based authentication methods remain safe from remote attacks and other phishing attacks. User information is not stored in the Cloud or on a company server, which excludes it from being the subject of a data leak. They are also easier to remember: ” Instead of having to remember and manage different passwords, it is often enough to push a button to securely authenticate. “
Clubic independently and objectively compares the 3 best password managers. Click for more information.
Read more
Source: Alliance FIDO
8