Trying to improve your business’s security posture is critical in today’s digital ecosystem. 84% of Southeast Asian companies are hit with DDoS attacks every year, and thousands of those businesses have confidential files stolen by threat actors. Given that the majority of Southeast Asian consumers are concerned about their private information being hacked, businesses who suffer cybersecurity breaches take massive reputation damage and suffer significant profit loss.
But, there’s a problem — Southeast Asian businesses account for 35.9% of worldwide cybersecurity events — making SEA the most significant threat actor region on the planet. Luckily, creating better security posture can start today — and it can start with mobile phones. One-time passwords can help secure your business against the growing security threats in SEA.
What is OTP?
One-time passwords (OTPs) are automatically generated passwords containing unique sets of numbers and letters that can be used for a single instance. So, you can send OTP to an employee every time they try to sign into a SaaS system or sent to customers each time they attempt to sign in to your application.
OTPs are significantly stronger than user-created passwords. Since they can’t be shared across multiple devices, contain a random string of numbers and letters, and only last for a limited time on a single sign-in instance, OTP can be used in conjunction with other security measures to reduce security frictions and improve your overall security posture.
Typically, many companies send OTP as part of their 2-step authentication systems. These systems will have users input their self-created passwords AND a one-time password that is sent either via SMS or voice.
OTP Best Practices
Let’s discuss some of the best practices for businesses looking to utilize one-time passwords to improve their security posture.
How Long Should One Time Passwords Be?
The character length of passwords is important, but there isn’t a reasonable consensus on how many characters make a password “secure.” Some researchers claim that passwords should be over six characters, while others claim that it should be 16 or beyond to be classified as secure. But, the length isn’t as important when it comes to 2-factor authentication. Here’s why.
Let’s say we use an eight-character OTP password. Even if someone randomly inserted every character in every order in an attempt to crack it, it would take over 5 hours. But that’s only if it was using an extremely simple string of characters (e.g., “abcdefgh”). If you blend numbers into that pattern, it would take months, if not years.
How Long Should My OTP Work Until it Expires?
When you send OTP tokens to your staff or customers, you should expect to expire those tokens after a certain length of time. We recommend expiring your OTP after 2 minutes. However, if you need to extend that time limit, you should always increase the character length and character complexity of your passwords. This helps prevent dictionary attacks and keeps your systems secure.
Ideally, you should work with an OTP API vendor who sends passwords on a secure network with high speeds. These high speeds can make requesting new passwords pain-free for customers who let their OTP expire.
Should I Use SMS or Voice to Power My OTP?
Both voice and text are equally valuable (in terms of security) when it comes to sending OTP. In today’s mobile ecosystem, cloud-based systems that support voice and text via sophisticated APIs are easy-to-implement and extremely user-friendly. The Wavecell SMS API is used to share over 2 billion messages yearly, many of which are OTP messages.
There are tangible benefits to both voice and SMS for business, and the solution you choose will depend on your business needs.
SMS is preferred by some for a few reasons:
- OTP SMS’ are discreet and provide a convenient user experience
- Passwords may be synced automatically into applications
- SEA customers generally prefer SMS over voice services
Others prefer voice due to different considerations:
- Voice is better for customers who don’t have access to a smartphone.
- Voice calls may be more accessible for certain types of customers, due to disabilities or texting capabilities.
For most businesses, blending both solutions is an easy way to tap into the full benefits of OTP.
There is also a third options for your OTPs — push notifications. While push notifications are often cheaper, they rely on shared infrastructure.
Do OTP messages need dedicated routes?
A good OTP API provider will give you dedicated, high-quality SMS routes that prioritize OTP traffic and ensure that over 99% of OTP messages get to your user.
You should always make sure that your OTP provider gives you a dedicated route. Without this dedicated route, you may suffer from missed notifications/SMS messages and failed deliveries.
How Do You Automatically Generate OTP Codes?
With Wavecell’s SMS API, you can automatically generate and send OTP passwords for your applications. Whether you need to secure your on-site SaaS apps or you want to reduce threat actor attack vectors on your latest consumer-facing app, we can help you breed better security practices into your business with dedicated OTP SMS routes and an easy-to-configure cloud API.
Are you ready to improve your business’ account security without breaking the bank? Talk to us!