loading='lazy' Learn About ValidSoft’s Recommendations for Evaluating Deepfake Detection Solutions
Icon January 30, 2025

OTPs versus Digital Tokens: A No Win Scenario

Digital tokens
digital transactions
Online security
OTPs
Phishing
voice biometrics

Digital tokens are taking over from traditional OTPs, but their effectiveness, when it comes to online security remains a point of debate.

During the last month of 2024, Singapore’s Shared Responsibility Framework (SRF) came into effect, impacting banks and payment service providers, telcos, and the banking public. The SRF, the brainchild of the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority, seeks to allocate responsibilities and losses that arise from phishing attacks and scams.

The responsibilities allocated to the banks and Payment Service Providers (PSPs) make for interesting reading, given that in 2024, the MAS and Association of Banks in Singapore (ABS) decreed that SMS-based OTPs would be replaced by digital tokens. The digital token functionality, contained in each bank’s mobile app, is a “tap to approve” for high-risk transactions, removing the need for entering an OTP back into a browser.

The responsibilities include a 12-hour cooling-off period when digital tokens are activated, during which time no transactions carrying risk can be performed as well as real-time alerts for every high-risk transaction or outgoing transaction.

Do Digital Tokens Solve Phishing and Fraud Risks?

Phishing attacks are still occurring so what were the perceived benefits of moving from SMS-based OTPs to digital tokens? The tokens can’t be intercepted by SIM Swap attacks or SS7 hacks as OTPs could, and the authorities claim successful phishing attacks are harder as there is no visible token to provide to a fraudster such as in an impersonation attack.

The Unintended Weaknesses of Digital Tokens

However, there are downsides too. A fraudster can still perform an unauthorized transaction which will generate the digital token request on the target’s banking app. If they inadvertently “tap to approve” before thinking it through the transaction will be authorized. At least with OTPs, the target needed a browser session to round-trip the OTP, making an inadvertent authorization impossible.

OTP Fatigue is another technique used by fraudsters in a bid to trick users of digital tokens into approving a fraudulent transaction. By requesting multiple transactions, the target gets bombarded with approval requests to the point they might think it’s just a glitch with the app and they press approve just to make the messages go away. This approach is still social engineering so in effect it could be argued that they have simply swapped one social engineering attack for another but have still had to introduce other measures to the detriment of customer usability.

A More Secure Approach: Binding OTPs to the Intended User

OTPs are prone to social engineering attacks because anyone with possession of the OTP can use it. If, however, it is bound to the intended recipient and not usable by anyone else, then an OTP is more secure than as digital token because a user can’t make an inadvertent authorization or fall victim to OTP fatigue. The OTP must be round-tripped into the browser session that generated it in the first place. This was the intended strength of the OTP model and still is of the user and the OTP can be bound.

And how to bind the two? Simply use voice biometrics and speak the OTP, not type it. This binds the OTP to the intended user and even if the OTP is provided to a fraudster by means of social engineering (or SIM Swap or SS7 hack), it is useless. Speaking the OTP into the originating browser by the fraudster will fail.

The Ultimate Solution for Digital Transaction Security

Voice biometric authentication in conjunction with an OTP prevents all forms of OTP social engineering attacks rather than a compromise of which attacks are more likely, as considered by the Singapore authorities. The SRF appears very much a band-aid solution to a flawed implementation.

Instead of settling for a compromise, organizations can implement ValidSoft’s See-Say® solution, which ensures that every OTP is securely bound to the correct user through voice biometrics. By integrating this technology, financial institutions can eliminate the risks associated with both OTP-based and digital token-based authentication, delivering a seamless yet highly secure user experience. A new and revolutionary cryptographic, digital-based voice authentication approach that guarantees an individual identity and a transaction/process to a non-repudiation level.