One Time Password SMS service routes were previously used to send OTPs for a single transaction. But as per the new regulations issued by TRAI, transactional routes are now used to send OTP SMS.

This route is kept reserved only for the banks to send OTPs and other Informative messages like Account debit, credit, and other receipts will be carried out via the Service implicit route.

Ideally, SMS via Transactional route would be like: Your OTP is 2675. Do not share with others. And, SMS via Service Implicit route would be like: Your account is debited with Rs.10,000 and your available balance in the account is Rs.1,20,000.

Why OTP SMS Service?

An OTP SMS service i.e, OTP sent via SMS is one of the steps in a two-step authentication process that is possessed by most of the online transactions nowadays. It also makes it difficult for spammers to access any online web accounts.

This prevents many fraudulent activities by checking whether the person initiating the transaction and the owner of that particular debit/credit card is the same. This confirmation is done by sending an OTP via SMS to the registered mobile number in the bank account that is being used for the transaction.

Mostly, OTPs sent to the mobile number are auto-generated numeric or alphanumeric series of characters and will be valid only for a short period of time.

Once the time limit is exceeded the Token/Code would be shown invalid and would request the user to submit a request to generate a new code by clicking on the ‘Resend OTP’ option which is available in almost all of the online payment gateways.

Once the OTP is verified with the payment gateway, the user would be able to finalize the purchase. Nowadays, Cell Phones have become one of the common gadgets the majority of people carry around.

Mobile phones are considered secure and safe. People trust their mobile phones to a greater extent. Therefore, an OTP sent through SMS offers users comfort and security.

Is OTP Secure even with Mobile Apps?

Unfortunately, not much.

OTP process which seems to be a solid authentication process is now easily bypassed by many other mobile apps. Based on this, we could categorize mobile apps as legitimate ones and malicious apps.

Legitimate mobile apps will intercept an SMS that contains OTP to facilitate a faster transactional experience to the user, whereas a malicious app would intercept the same and would possibly commit any fraudulent transaction. Both apps use the same mechanism but serve different purposes.

The permissions required by mobile apps to intercept OTP SMS service are permission to Intercept SMS and permission to send content using the internet or SMS.

The permission would look something like :

  • Android. permission.RECEIVE_SMS
  • Android. permission.INTERNET’ or ‘android. permission.SEND_SMS

Some websites and Mobile Apps use OTP SMS not only for a transactional purpose, but also to reset passwords, change passwords, new registration, to download important documents, and so on.

In recent days many businesses rely on OTP verification for any transactions on their site or even over the telephone. For websites, OTP still remains a secure way of the transaction and is efficient since users with no internet access on their mobile phones could use this multi-factor authentication solution.

An alternative to OTP via SMS is OTP via Call. The OTP is received by the user over a phone call to his/her mobile number with a spoken voice that delivers the code to be used. The voice option also serves as an added advantage for users with limited eyesight.

Voice can also be used as a backup in case the SMS delivery failed or if there were any issues. 

Authenticator Apps are being used in Organizations to authenticate their employee login. There are a number of providers that deliver this kind of service to organizations.

Simply search for “authenticator” in  Google play or the apple store and you would be bombarded with dozens of options. It is recommended to opt for an app that is made by a major and trustworthy developer since you are about to entrust it with the keys to your accounts.

Even though the processor functionality served by all these apps are the same – to create a one-time access code, some apps provide some extra interface features that might be appealing to the user.

Some of the top Interesting options would be Google Authenticator, DUO Mobile, Microsoft Authenticator, Free OTP, Authy, etc. These apps are supported on both Android and IOS platforms.