A. Khedron de León - May 11, 2021

SMS OTP for PSD2 SCA

FIDO  Payments/E-Commerce  PSD2  Cybersecurity ROI  SCA

This article is part 2 of 7 in the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).

The following criteria are used for comparison:

  • Equipment and infrastructure: Costs and benefits
  • Ease of deployment: Portability, proprietary limitations, and distribution considerations 
  • Ease of loss replacement: Steps needed for a user to begin anew
  • Vulnerabilities: Process, hardware, or software weaknesses
  • Convenience/speed: The time it takes and ease of the user experience; reports range from as low as 7s to 15s of a user’s experience to determine whether or not they remain in the purchase, so every second counts

Short Message Service (SMS) One-time Passwords (OTP) for PSD2 SCA

SCENARIO: You sign into a site, but before you’re granted access, the site requires you to verify your identity by entering a one-time password (OTP) sent via SMS to a phone number you previously provided the site. Best case scenario: you’re on a mobile browser so the code pops up in a text message and you can quickly enter it into the site to log on. If you’re on a desktop computer, receiving the code via SMS might require a bit of squinting. If the phone number you listed on the site is no longer in service, you have a problem.

Assuming you have access to your phone number and are able to log on, the system accepted your successful input of the code as proof that you are really you because your phone is in your hands. What it doesn’t take into account is that your phone may have been stolen or that someone may have been monitoring your phone traffic.

ANALYSIS: While SMS OTP was once favored because of its ease of deployment and use, these are also the very things that open this method to attack. With the prevalence of mobile phones, no additional hardware is required for either the service or the user. Likewise, OTP deployment and replacement are non-issues since a new OTP can be easily re-issued across the SMS channel at no additional cost. SMS technically fails the SCA test based on vulnerabilities with the SS7 cell phone network plus the time-honored practice of SIM-swapping; this report has more in-depth explanation. 

Coupling it with passwords still does little to nothing to prevent vulnerabilities to phishing, MITM, and replay attacks, as the SS7 network is still in the middle of any text send. Applications attempting to make a better experience often provide quick copy-paste functionality when presented with OTPs; this simplicity uses the clipboard, which is low-hanging fruit for attackers. On PCs, child application windows may need to be opened, possibly presenting yet more attack surface.

The time to use OTP is 8–12 seconds, averaging squarely at the not-so-sweet spot of exactly when people decide to bail or not. An audio method has been developed to make issuing an OTP more secure, but it is much lengthier and more cumbersome by comparison.

  • Equipment and infrastructure: $: software only; public cell networks
  • Ease of deployment: Easy: most users have a personal device
  • Ease of loss replacement: Easy: resend number
  • Vulnerabilities: SS7 network; phishing; MITM; replays
  • Convenience/speed: 8-12s

Check out the next article: Hardware OTP for PSD2 SCA.


StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.