“OTP authentication is no longer secure enough”

A spokesman for the Ministry of Information and Communications stated that the OTP password authentication method is no longer strong enough to protect users from attacks.

At the Asia-Pacific FIDO 2023 Conference in Khanh Hoa on the morning of August 29, Tran Dang Khoa, Deputy Director of the Information Security Department of the Ministry of Information and Communications, stated that OTP codes are used by many platforms. Authentication for increased security compared to using only a password. However, in reality, this method is still bypassed in many ways: for example, hackers create websites impersonating others to trick users into entering OTP, malicious code reads OTP in SMS or emails.

Referring to the 2022 Global Financial Industry Authentication Activity Report, Mr. Hoa stated that 80% of financial institutions and banks were leaked due to weak authentication, which causes an average loss of one million US dollars per day in year. In addition, 99% of survey respondents agree that traditional authentication methods based solely on passwords and one-time authentication (OTP) are no longer strong enough to protect accounts from current cyberattacks, no matter how sophisticated they may be today.

Mr. Tran Dang Hoa spoke at the event.  Photo: Dao Bin

Mr. Tran Dang Hoa spoke at the event. Image: Dao Bin

According to Mr. Andrew Shikiar, Executive Director of the Worldwide Online Authentication Alliance (FIDO), passwords are a security method that has been around for over 60 years but now shows many weaknesses and needs to be replaced.

In terms of usability, he said that many companies lose customers when users forget the platform’s password. Although from a security point of view, passwords have been added with additional layers of security such as OTP or code generation software, but for hackers these measures are “no exception” as they can be easily bypassed.

Alternatives to traditional passwords and OTP

According to experts, the solution to the problem of hacking accounts is to use passwordless authentication to log in. “The simple username, password and OTP authentication method is risky, not secure enough, and is gradually being replaced by strong passwordless authentication technology, and this is an irreversible trend,” said Mr. Hoa.

The solution for passwordless authentication is to use an additional private key in the middle of the authentication process. This key is activated using information that only the user has, such as a face, fingerprint, PIN, or FIDO-compliant hardware device.

As Mr. Andrew Shikiar explained, when a user performs a login session, the process is handled locally on the device, no information is transmitted, so hackers cannot remotely attack the system. In addition, this method is automatically performed in applications, the URL is set, users can shorten the password entry and prevent erroneous login to fake websites.

How passwordless authentication works.  Photo: FIDO

How passwordless authentication works. Image: FIDO

A spokesman for the Information Security Administration said that passwordless authentication is now becoming a mainstream trend and is being adopted by many organizations around the world. Vietnam and other countries in the region are also in the process of moving from traditional authentication to passwordless authentication. At the event, the Department of Information Security announced its participation in the FIDO Alliance, becoming one of the 10 members of this alliance at the government level.

“In order to achieve the goal of quickly getting out of the authentication low and not becoming a valuable and easy target for cybercriminals, it is necessary to have a specific action plan involving a role model led by government agencies and the participation of technology enterprises,” said the representative of the department.

Mr. Do Ngoc Duy Trak, CEO of VinCSS, assessed that passwordless authentication is the only technology today that fully solves all three aspects of authentication: security, reasonable cost, and user friendliness. At present, all technologies of large technology companies such as Apple, Amazon, Microsoft, Google, Intel apply this solution in their products.

According to him, practical solutions were present in many lives. One of the most popular FIDO applications is the built-in Passkey technology in Android and iOS operating systems. The fact that users can log into their accounts on devices through biometric authentication such as fingerprints and faces is one example of this method.

Experts believe that Vietnam’s accession to the FIDO Alliance gives the Ministry of Information and Communications an opportunity to study trends, technological solutions and standards in modern passwordless authentication on the Internet, based on which it will be possible to study, research, propose policies and regulations. and advise on the development and application of passwordless authentication products and services to support the nation’s digital transformation process.

Luu Kui

Source link

Leave a Comment