IF YOU WERE among the many squinting at your phone, looking for SMSes that never showed up on March 8th, you probably know what happened. A Telecom Regulatory Authority of India regulation issued in 2018 that attempts to weed out spam messages finally got enforced. This regula•tion puts in place a new system that requires (among other things) all entities which carry out telemarketing-related functions to register themselves and their templates in which they communicate their content. Since most compa•nies hadn’t done so, all their messages simply got scrubbed out of the system.
According to reports, around 40 crore SMSes weren’t delivered on March 8th. And although an extension of seven days was announced after the mass outage it caused, many continued to report disruptions in the SMS network.
Nobody would have really missed those messages since a vast majority of those would no doubt have been the very thing these new regulations seek to curtail. Except that this breakdown caused an outage in the one thing all of us now entirely depend upon: the OTP.
The OTP or the one-time password is now a crucial aspect of our life. We depend on it for nearly everything, from making a purchase through our banks, using money online to hail a cab or order a meal, logging in to new devices to even registering ourselves for the Covid-19 vaccine. Even though it has been a part of our web culture for some time, the pandemic and the ensuing lockdown has made us integrate it even further into the way we navigate the world.
The OTP is, of course, just one type of password. And passwords have probably been around since the time there was something of value whose access needed to be restricted to a few. We have the word ‘shibboleth’ derived from the Book of Judges (in the Old Testament and the Hebrew Bible), where in the battle between the tribes of Gilead and Ephraim, Gileadite soldiers used the word as a type of linguistic password using it to detect the Ephraimites (who pronounced it as ‘sibboleth’).
We arrived upon the OTP only recently because the traditional system of relying on a single password wasn’t working in the computer age. As recently as 2014, the man who came up with the world’s first known computer password, Fernando J Corbató, was calling passwords a nightmare. Corbató, who ran a computing project at the Massachusetts Institute of Technology, devised the first known computer password in the 1960s for his researchers to have their own accounts on a computer mainframe. “I don’t think anybody can possibly remember all the passwords that are issued or set up,” he told the Washington Post in 2014. “That leaves people with two choices. Either you maintain a crib sheet… or you use some sort of program as a password manager. Either one is a nuisance.” Corbató himself maintained a crib sheet of three typed pages for around 150 passwords.
The traditional password is a nuisance because you don’t just need to memorise multiple passwords for multiple accounts. You need to memorise complicated ones. The password fatigue that has set in as a result, accompanied with sophisticated phishing attacks, made it imperative for a two-step authentication process. Enter the OTP.
What the OTP does is provide a second layer of protection. A hacker now needs to get access to two different pieces of information: your memorised static password, along with the phone that carries your OTP. Since OTPs emerge from randomness, making any prediction of successor OTPs is difficult. And even if a hacker did get access to an OTP, no ‘replay attack’ of the nature seen with accounts protected by just a single static password can occur, since an OTP lasts for only a short period.
But as ubiquitous as the OTP is in our lives, its days may still be numbered. It is far from a perfect system. Mobile phones can be compromised through malware and OTPs rerouted to the hacker. Or people can be conned into revealing their OTPs.
The next jump that we take in authenticating our digital transactions may be one where we forego the password entirely. Several new methods—many of which are already being used in mobile phones, from fingerprint and face-detection technologies to iris recognition and retina-scanning features—are being looked into. The Economic Times reported last year that several telecom companies in India are looking to replace OTPs with a new type of mobile identity that will ensure secure transactions in one go. All this is still some time away. And for all its faults, as March 8th showed, OTPs remain very much a part of our lives.