Two-factor authentication solutions based on the one-time-password (OTP) concept have been providing strong protection for millions of accounts for almost as long as passwords have been around. This second factor, provided on top of the first one, typically a password, is valid for one authentication and dynamically generated. Over the years, the delivery methods for these second factors have changed in their appearance, from tokens users had to carry with them to software-based tokens and in their latest iteration (with the global advent of mobile phones) to text messages delivered to these devices. Although proven a good solution, there are some limiting inherent factors: manual user interaction (typing in the code), provisioning and setup for users and – being the logical attack location – the secrets needing to be stored centrally on the access servers.
In the last decade, with smartphones entering people’s lives on a global level and being carried around 24/7 in billions of shirt and pants pockets, handbags and – if you are working out or jogging – even strapped to your arms – your most personal device started accompanying you in unprecedented ways.
This widespread availability of newly available technology – which by today in most cases even includes a wide variety of biometric sensors, most commonly for scanning fingerprints, but also faces, the human eyes, voices or heartbeat rates – allows for new approaches without degrading the user experience (like interrupting what you are trying to do, change to another app, memorize the code and switch back to what you want to do, and sometimes even having to do it all over again because you just hit the 30-second limitation and have to redo it). Although solutions using OTP have definitely improved security, user acceptance has been ridiculously low (less than 10 percent according to research) due to the extra burdens created and not accepted by the vast majority of consumers. Another great benefit of most OTP solutions is the out-of-band ability (meaning it works even when you don’t have network coverage), the arrival of fast data networks like LTE, plus the majority of users in the regular consumer market accepting that in rare occasions there is no data connection (like in the elevator or in the basement on level -7). More than 90% of their usage of authentication services actually happens when they are covered. We have often heard phrases like ‘I am fine if it works wherever WhatsApp works’.
All of the above combined facts show that the requirements today for strong authentication solutions that are highly convenient (and ready to blow the legacy of SMS and OTP out of the water) are now widely available. And it is just the right timing as well, with the reports of OTP phishing and SMS interception and abuse steadily rising since 2015 and tech-savvy press articles starting to suggest back then to totally move away from these solutions (e.g. here’s an example on Wired), followed by the National Institute of Standards and Technology (NIST) condemning it and no longer considering it verification.
The main issue why these solutions still are vulnerable to phishing and man-in-the-middle (interception of messages by the bad guys) attacks even for the widely used verification of password resets (see here) is the fact that they still use so called ‘shared secrets’, so symmetric encryption.
Solutions like sezame on the other hand use a newer approach, a so called PKI. Through the usage of asymmetric pairs of cryptographic keys there is no such thing as shared secrets, such as passwords, to be intercepted.