Banks are confronting a stark reality: the one-time password (OTP), long considered a reliable safeguard for account protection, is no longer sufficient in an environment increasingly dominated by automation and deception. Schalk Nolte, CEO of Entersekt, emphasized that the financial industry has been aware of OTPs’ limitations for over a decade, but the intensity of their exploitation has dramatically increased.
The Escalating Threat to OTPs
The core vulnerabilities of OTPs have not changed, but the scale of attacks has. Nolte explained that sophisticated bots can now rapidly cycle through stolen credentials, attempting numerous logins until they successfully intercept or elicit an OTP. What was once an adequate control in a less volatile threat environment now faces relentless pressure. The same weaknesses are being exploited far more frequently.
Why Banks Still Depend on OTPs
Despite these evident limitations, OTPs remain deeply embedded in many banking authentication flows. Nolte attributes this persistence to operational convenience and cost-effectiveness. Deploying OTPs is straightforward, requiring little from the customer beyond a mobile number. This simplicity aligns with long-standing priorities around user experience, as it avoids the need for customers to download applications or complete complex enrollment steps. The process is often immediate and familiar.
Cost is also a significant factor. OTP systems are considerably less expensive to implement compared to more advanced authentication methods. For smaller financial institutions, such as community banks and credit unions, the balance between cost, usability, and perceived security often leads to continued reliance on these tools. However, this reliance comes with trade-offs. As institutions attempt to compensate for the inherent risks by adding more authentication prompts, customers can experience a growing sense of friction, potentially diminishing their attention and trust in the security measures.
Fatigue Weakens the Signal
Nolte highlighted a growing problem of overuse, leading to a form of authentication fatigue. When authentication requests appear too frequently, they begin to lose their significance. Customers may start responding automatically rather than thoughtfully, undermining the very purpose of the security control. This environment creates fertile ground for fraudsters who increasingly rely on persuasion rather than technical exploits.
Social Engineering Moves to the Forefront
According to Nolte, social engineering has emerged as a primary method for bypassing OTP-based security. ‘Social engineering is unfortunately… something that gets past all of these things,’ he stated. These attacks do not necessitate breaking encryption or intercepting messages. Instead, they focus on manipulating customers into willingly sharing their OTPs. This method exploits human trust rather than technical infrastructure.
Nolte recounted an instance where a fraudster posed as a bank employee conducting a security test. The customer was instructed to read back a one-time password to assist with the supposed check. ‘A couple of hundred thousand dollars later… it wasn’t a test,’ he observed. This example vividly illustrates a broader weakness: when authentication relies on user cooperation without clear context, it becomes highly susceptible to manipulation.
Making Authentication Context-Aware
To address these critical gaps, Nolte advocates for a shift away from static authentication challenges towards more intelligent, context-aware processes. ‘Make your dumb authentication smart,’ he advised. The objective is to evaluate a multitude of signals surrounding each interaction, including user behavior, location, and device characteristics. Authentication should adapt dynamically based on the assessed risk rather than applying a uniform standard across all transactions.
This adaptive approach allows banks to reduce unnecessary friction for legitimate users while focusing attention and stricter verification where anomalies appear. Instead of prompting every user for every action, systems can escalate verification only when suspicious patterns are detected. Nolte stressed that there is no single silver bullet; different authentication methods address distinct risks, and institutions must integrate them into a coordinated framework.
Layering Defenses Without Disrupting Customers
Entersekt’s strategy, as outlined by Nolte, involves integrating intelligence into existing authentication stacks rather than replacing them entirely. The aim is to preserve the familiar user experience for customers while significantly improving the decision-making processes behind the scenes. ‘We plug into your authentication stack and make your authentication stack smart,’ he explained.
This involves incorporating behavioral analytics and a broader range of data signals to identify suspicious activity. Nolte used an analogy: traditional systems are akin to a generic alarm that signals a problem without identifying its cause. More advanced systems, however, can specify what is happening and recommend the appropriate response. This layered model also facilitates gradual adoption. Banks can begin by enhancing their current controls and then progressively introduce additional methods, such as passkeys or biometrics, as needed.
The continued reliance on OTPs reflects a fundamental tension between convenience and robust protection. As fraud tactics evolve and intensify, maintaining this balance with static tools becomes increasingly challenging. Nolte frames the path forward as an incremental process that prioritizes intelligence and context. ‘Take what you have and augment this with something that provides intelligence,’ he concluded, emphasizing the need for banks to enhance their existing security infrastructure with smarter, context-aware solutions.
