2FA – The Use of OTP Token

by GOsafeonline | 17 March 2014

Authentication is the process of verifying the identity of a person and authenticating that “He is who he claims he is”. This is to reduce the probability that the requestor is presenting false evidence of its identity. The ways in which a user may be authenticated fall into three factors below:

  • A knowledge factor – “Something the user knows”, such as a password, PIN and pattern
  • A possession factor – “Something the user has”, such as ATM card and security token
  • An inherence factor – “Something the user is”, such as finger print and retina scan

Two Factor Authentication (2FA) is the approach to authentication using two or more of the three authentication factors. A system's authentication is strong when it requires at least two of the three authentication factors before users are granted access to the system.

When a bank customer visits an automated teller machine (ATM), one authentication factor is the physical ATM card which the customer inserts into the ATM ("something the user has"). The second authentication factor is the PIN the customer enters using the keypad ("something the user knows"). Without the combined verification of the two authentication factors, authentication does not succeed. 2FA is different from traditional single-factor authentication where only one authentication factor (usually a password) is required in order to gain access or permit any transaction.

The current practice adopted by banks requires 2FA at login for all types of internet banking systems. When a user accesses an online banking services, in addition to the User-ID and Password, the user will be required to enter an additional “second-factor password”, which is the One-Time Password (OTP). The OTP generated from a 2FA security token or delivered via SMS is typically a string of numbers (numeric) or a combination of alphabets and numbers (alphanumeric) characters. For security reasons, the OTP is designed and be valid only for a short period of time, after which user will have to obtain a new OTP. 


Digital Transaction Signing
 is an act that requires customers to use an OTP derived from a 2FA security token to digitally “sign” transactions that are deemed as high risk including high value fund transfers or changing customer’s details online. 2FA security tokens with on-board keypad can be used to sign electronic transactions in addition to its usual authentication function.

When performing an online banking operation, a user may use the following steps to digitally sign a transaction using a security token with a keypad:

  • The user enters a PIN and inputs transaction information, such as the account number and the transaction amount into the security token
  • The security token calculates and generate a OTP based on the input along with the time and user’s PIN
  • The user commits the transaction by entering the OTP on the signing page

Tips to Safeguard your 2FA OTP Security Token

2FA security token is an effective tool used to prevent interception and modification of your online transaction, you may use the following tips to safeguard your 2FA security token:

Why is 2FA Important?

Cyber attacks on online systems and customers’ computer have become increasingly widespread. Phishing, fake websites, spamming, viruses, worms, Trojans, keystroke loggers and spyware are the common threats that organisation systems and customers are facing. 2FA aids in countering hacking attacks and identity fraud. So what are the different types of 2FA mechanisms available and the common features?

How does it work? Pros Cons
Hardware Security Token
  • A key-chain size security token which generates OTP. Each time a user logs in, press the button on the security token to generate the OTP and this will be displayed on the screen.
  • A security token with advanced digital signing capability comes with a key pad. Instructions to use the digital signing capability will be provided by the organisation.
  • The token can be used both locally and overseas.
  • The security token with advanced digital signing capability can be used to digitally “sign” transactions to protect the authenticity of online transactions.
  • It’s a separate device.
  • User needs to replace the security token once its battery runs out (usually every 5-7 years).
Using SMS to receive One Time Password
  • An SMS containing user’s password will be sent to the mobile phone number registered with the organisation whenever user log in with your user ID and PIN.
  • User receives the password via the mobile phone. There is no need to carry a separate device.
  • User has to register their mobile phone number with the organisation and update the organisation if there are changes.
  • OTP Transmission is dependent on the mobile network service. There may be delays due to high mobile network traffic.
  • User may incur additional charges if user logs in overseas. The charges depend on the mobile operator/plan.
  • An SMS OTP does not allow user to digitally “sign” a transaction.

Interesting Reads