Useful as they were, One-Time-Passwords have been shown to be crack-able through phishing methods and scams: time for more PRMFA!

On 9 July 2024, Singapore’s central bank, the Monetary Authority of Singapore (MAS), and the Association of Banks in Singapore (ABS) announced that major retail banks in the country will progressively phase out the use of One-Time Passwords (OTPs) within the subsequent three months.

This process will affect bank-account logins by customers who are not currently users of bank-issued digital tokens and still relying on OTPs. The logic is that digital tokens authenticate logins without the need for an OTP that scammers can steal, or trick customers into disclosing.

While OTPs were a useful option in multi-factor authentication (MFA), technological developments and more sophisticated social engineering tactics have since shown that OPTs are not foolproof. In a Singapore Police Force Annual Scams and Cybercrime Brief, phishing scams ranked among the top five cyber threats last year, with at least S$14.2m lost to cybercriminals. Phishing-Resistant MFA (PRMFA) has since been prescribed by cybersecurity experts.

Said one of ABS’ directors, Ong-Ang Ai Boon: “This measure provides customers with further protection against unauthorized access to their bank accounts. While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers.”

According to Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), MAS, “this latest measure will complement good cyber hygiene practices that customers must continue to practice, such as safeguarding their banking credentials.” 

In the private sector, one representative of an identity and access management firm weighed in. Ben Goodman, Senior Vice President and General Manager (Asia Pacific and Japan), Okta, noted: “The adoption of modern identity technologies, such as phishing-resistant multi-factor authentication and passwordless (log-ins), is the most impactful thing that organizations can do to protect their employees and customers. Passwordless stops people from (having their accounts) accidentally compromised when they have their passwords stolen. Through passwordless technology, people can easily and securely control their identity with their device.”

The impetus for the OTP phase-out was made public back in July 2023, when the MAS’ former Chairman, Tharman Shanmugaratnam, mentioned it in answer to questions in Parliament about increasing rates of local cybercrime.