Instead of relying on technology that is not in their control, businesses should stop using SMS based OTPs and start using other software-based or hardware-based token authentication, which are in their control, says Venkata Satish Guttula.
When cellular services started in India, SMS was the favoured medium for communication. Value-Added Service (VAS) soon became a popular business. VAS promotional messages to download ringtones, logos etc, were sent to mobile subscribers. Operators earned good revenue out of this VAS business.
The telemarketers then started using this medium to send unsolicited messages offering real estate deals, attractive interests on bank loans etc. It soon became a nuisance so these messages were bifurcated into promotional messages and transactional messages, and a do not disturb (DND) registry was set up for telemarketers.
The authorities also set up two routes to send the messages.
But sending promotional messages was costlier than transactional messages, and the biggest problem the telemarketers faced is that promotional messages are not delivered to the mobile subscribers in the DND registry. So, telemarketers started sending promotional messages using the transactional route.
The aggregators were supposed to verify the transactional messages, but many did not.
Distributed Ledger Technology (DLT), a blockchain-based registration system, was introduced to tackle this menace. The verification and approval of the SMS templates are taken out of the aggregators' hands, and centralised.
Businesses who want to send SMS messages to customers using the transactional route should register themselves in the DLT platform and then submit their SMS templates in the platform for approval. Only after the approval of these templates can they send SMS messages.
This DLT system was to prevent telemarketers from sending promotional messages as transactional messages and was geared to reject any message sent which does not match the approved SMS templates.
The DLT system went live on March 8, 2021. Still, many businesses, including some banks, even after sufficient advance notice was given, failed to register with the DLT platform and get their SMS templates approved on time, resulting in the massive outage earlier this week. OTPs to complete credit card payments or login to email accounts, or even book train tickets, did not reach the customers.
Because of the massive disruption of the services which caused inconvenience to thousands of customers, TRAI then decided to suspend the implementation of the DLT system for a week.
SMS-based OTP is now a de facto two-factor authentication method for online banking activities and credit card payments. It is used in the registration or to log in to services, reset a forgotten password, reserve a restaurant table, and even register on the CO-WIN portal to schedule Covid-19 vaccination.
Apart from the DLT issue, mobile service blackouts due to various reasons have also impeded these OTPs from reaching the subscribers, causing inconvenience.
So, instead of relying on technology that is not in their control, businesses should stop using SMS based OTPs and start using other software-based or hardware-based token authentication, which are in their control, for two factor or multi-factor authentication. Some start-ups are working on public key infrastructure-based authentication method, which will do away with the shared secret concept.
A standard hardware token is a small hardware device, generally in the size of a credit card or keychain. A simple hardware token looks like a USB flash drive and contains a small amount of storage, holding a certificate or unique identifier and are often called dongles. More complex hardware tokens incorporate LCDs, keypads for entering passwords, biometric readers, wireless devices, and additional features to enhance security.
Many hardware tokens contain an internal clock that, combined with the device's unique identifier, an input PIN or password, and potentially other factors, is used to generate a code, usually output to a display on the token. This code changes regularly, often every 30 seconds. The infrastructure used to keep track of such tokens can predict, for a given device, what the proper output will be at any given time and can use this to authenticate the user.
A software token (aka soft token) is a piece of a two-factor authentication security device that may be used to authorise the use of computer services. Software tokens are stored on a general-purpose electronic device such as desktop computer, laptop, PDA, or mobile phone and can be duplicated. (Contrast hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated -- absent physical invasion of the device).