What Are The Drawbacks Of Using One Time Passwords (OTP) & Social Logins?
Did you know that every time you sign in on a website or an app through OTP or social logins, the identity provider (IDP) stores your data along with the data of millions of users?
This article highlights the challenges involved with a password-based authentication system; and why blockchain-based privacy-preserving logins are a game-changer instead of traditional OTPS.
One Time Passwords (OTP)
One Time Passwords, commonly known as OTP, is a two-step authentication login process.
Delivery of OTP via SMS.
Generation of a new code every time you log in or in an algorithm-based predefined time frame.
The first type is achievable when one has a device with network connectivity and a phone number to receive the OTP. In contrast, the second type of OTP is generated when using a hardware security token authentication, Google or Microsoft Authenticator.
Social Logins
Another commonly used Single-Sign-On authentication mechanism is social logins, logging in via an already created social profile on Google and Facebook. Social logins have gained popularity because:
-Time-saving, single-click login.
-The user doesn’t have to remember multiple usernames and passwords.
-No need to type in all details, such as name, email, phone number, etc.
Social logins help users build a profile on a portal by accessing data directly from an identity provider (IDP) or social login providers.
Problems With Password-Based Authentication
Even though OTP and social logins are a seamless and easy login process, they have serious security and privacy drawbacks. Both password-based authentication systems have loopholes that lead to data breaches and hacks.
Drawbacks Of OTP
- Exploitable Mobile Providers: The cellular network traffic may not always be encrypted, giving out-of-band networks a chance to monitor your data. The best you can do is trust your mobile operator or operators, in the case of roaming users.
- Lack of Two-Way Authentication: The lack of mutual authentication and weak encryption algorithm paves the way for fulfilling a cyber attacker’s goal of acquiring your OTP. OTPs received in SMS are more susceptible to cyber attacks as they are prone to wireless inception and malware attacks.
- Forceful Number Sharing: Giving out phone numbers for logins isn’t considered safe as phone numbers are linked with bank accounts. Another added issue that comes with sharing phone numbers is the rise in unwanted SMS and spam calls.
- Inconvenience: OTPs can also be considered inconvenient as users have to copy the OTP from the device they receive it in, leading to a change in UI.
Drawbacks Of Social Logins
Outdated Processes: Social logins still rely on the old password resets introduced over a decade ago. In addition to small tweaks in the password requirements, nothing has been changed.
User-Tracking: Users’ activity is well known to be harvested and sold to third parties for a wide variety of purposes. Our user data is constantly monitored via our social media logins which raises privacy concerns.
Lack of Transparency: Social logins lack transparency because the same credentials can be shared between peers in an organization.
Hacking Vulnerability: The username and password for social logins are stored in a centralized database, which, once hacked, lead to serious data breaches.
Low Security: Just like mobile operators in the case of OTPs, identity providers can track, trace, run analytics, and sell your data to someone else.
These password-based authentication systems do not value the privacy and protection of users’ data. But getting rid of the identity providers is not a constructive solution to all these problems. So how do we overcome this?
Imagine a login system where the identity provider does not store any data but verifies the user by providing proof of identity? Say hello to Hypersign logins!
How Does Hypersign Keep Your Data Safe?
Hypersign is a decentralized identity and access management infrastructure built with an aim to resolve data security issues faced by consumers. By leveraging technologies such as blockchain to address public key infrastructure, Hypersign provides passwordless authentication and authorization and verification services.
Hypersign differs from password-based authentication in the following ways:
Hypersign uses QR codes for authentication, unlike the traditional OTP-based logins. QR codes eliminate the need to remember or reset your password and prevent potential hacking attacks. QR code makes the app accessible for everyone globally, no need to read or type unfamiliar words and signs.
An anonymous and private web wallet helps speed up the process of Hypersign logins and issuing identities. Just a few clicks, and users are set with a secure and user-friendly authentication solution.
Hypersign server uses cryptographically signed credentials, meaning your data is safe, and no one can steal it.
The verifiable credentials of the user are stored in a mobile device or cloud agent, accessible only to the said user. This gives the end consumer full control over their data, resulting in zero unsolicited ads and spam messages.
Users share information directly with the website, thus avoiding third-party interference.
Hypersign is free for end-users.
Subscription is required for providers, who at the end accumulate 90% lower fees for the service, compared to other similar solutions.
To Summarize
If you’re looking for a secure true two-factor authentication, you should stay away from OTPs and social logins solutions.
In a world where most customer-facing applications rely on third-party authentications like OTP-based or social logins, Hypersign aims to overhaul this process giving back individuals full control over their personal data.
Your privacy is your business, and only you should be in charge of it.