OTPs are considered secure because an OTP is only valid for one log-in session or transaction on a particular device
The biggest advantage of OTPs over static passwords is that they are not vulnerable to “replay attacks”
If you have recently tried to log into your Google account from a new device using your username and password, you might have found yourself diving for your phone as Google asks you to verify the number that shows up on the new device using the one sent to your account-linked phone number.
Referred to as multi-factor, two-step authentication or additional factor of authentication, the process fortifies the security of a digital account by using two different pieces of information. Typically, it requires you to “know something", in this case, your username and password, as well as “have something" such as your phone. This ensures that in order to gain access to your account, fraudsters will need to steal both your account details as well as the phone.
But this is not where the use of multi-factor authentication ends. As you must have noticed, for most online transaction, a one-time password (OTP) is generated and sent to your registered mobile number, which you have to enter to complete the transaction.
Initially, the Reserve Bank of India (RBI) mandated the use of multi-factor authentication for all payment networks. It required them to send an OTP or use a 3D PIN as the second part of the authentication process for any payment, which the customer would receive via SMS. The customer would receive an SMS of a generated PIN which they had to enter on the portal. However, following demonetization in November 2016, RBI received requests from various stakeholders to relax the two-step authentication process so that people could carry out digital transactions with more ease. In response to this, on 6 December 2016, RBI issued a notice relaxing the norms and saying that transactions below ₹2,000 would not require an OTP.
OTPs are considered secure because an OTP is only valid for one log-in session or transaction on a particular device. The biggest advantage of OTPs over static passwords is that they are not vulnerable to “replay attacks". This means that even if fraudsters are able to find out an OTP, they will not be able to misuse it since it is only valid for one session. But there are also other ways to complete multi-factor authentication. For instance, in net banking transactions, most banks require you to enter numbers from the grid at the back of your card. The alphabets corresponding with the numbers you need to enter are generated for each session to keep the process secure.
Although there are arguments against the method because reportedly the weaker implementations of the process are still vulnerable to scammers and hackers, multi-factor authentication does offer an additional layer of security, even if it does require a little extra effort.