The evolution of OTP, AutoOTP neutralizes device independence and man-in-the-middle attacks

The evolution of OTP, AutoOTP neutralizes device independence and man-in-the-middle attacks

Recently, the development of AutoOTP technology is becoming a hot topic, which maintains device independence–the greatest advantage of OTP technology, and is not vulnerable to man-in-the-middle attacks.

OTP technology is a technology in which a user submits a one-time password to an online service which verifies it. Unlike conventional biometric authentication technologies such as fingerprint authentication and facial authentication, there is no need to re-register user biometric information for each device, so it is continuously used in places such as banks where tasks need to be processed on multiple devices such as PCs, mobile devices, and ATMs. OTP technology has the security of not reusing the same password as well as advantages independent from devices. However, it has been pointed out that if a user unintentionally accesses a fake online system and enters the OTP code, its crucial weakness is that the OTP code is vulnerable to theft even with a one-time password. Also it is inconvenient since the user needs to read and insert the six-digit code each time.

In order to improve the security limitations and inconvenience of such OTP authentication technology, AutoOTP technology is emerging through domestic and international standardization organizations. AutoOTP technology is an authentication technology in which the online service presents an automatic OTP value to the user and the user verifies it through the AutoOTP mobile app, instead of the user inserting an OTP to an online service for verification.

As the usage method is not the user entering the OTP code, but the online service presenting the automatic OTP code and the user verifying it, it is possible to check whether the currently accessed online service is legitimate, instead of having the user read and insert it. In regards to service providers who operate multi-channel services, they can gain the effect of task reduction, for they would not need to operate various authentication methods for each service device.

For its great usability and security, AutoOTP technology is already used in major banks, government institutions, and companies throughout South Korea.

Don Malloy, the chairman of OATH Initiative–which established the international OTP technology standard, evaluated, “While AutoOTP has the media-independent universality of conventional OTP, it is a next-generation authentication technology that will be widely applied and diffused, for it is prepared for man-in-the-middle attacks.” He also noted, “We will strive to disseminate AutoOTP technology along with OTP technology for global cyber security.”

Director Kim Hyo-Dong of DualAuth revealed that, “While keeping up with the domestic and international standardization schedule, we plan on releasing AutoOTP technology–which is diffused through public online services such banks, government agencies, and corporations, as a freeware so that the general public and all online service providers will be able to use it without charge.”