Passwords, OTPs, and Why Phishing Still Works

The OTP Illusion

Most people believe that if a service sends them a one-time password on SMS, they are secure. Someone trying to break into their account would need access to their phone, which is physically protected.

This belief is wrong. And attackers know it.

In 2024, India recorded over 28,000 cyber fraud cases involving SIM swap, SMS interception, and social engineering — most targeting the OTP as the weak link. Globally, credential theft via phishing remains the number one attack vector, and OTPs have not stopped it. They have merely shifted the attackers’ methods.

Why the Current Practice Is Broken

OTPs are vulnerable to interception. SS7 protocol vulnerabilities allow attackers to intercept SMS messages. SIM swap attacks let them redirect OTPs to their own device. Phishing sites can relay OTPs in real time — a technique called reverse proxy phishing or adversary-in-the-middle (AiTM) — bypassing the OTP check entirely.

Passwords are a single point of failure. The average person has over 100 online accounts. They reuse passwords across them. A breach at one service leaks credentials that work at many others. Password managers help, but adoption remains low, and they do not protect against real-time phishing.

SMS-based MFA is no longer considered secure. NIST, SEBI, and RBI have all signalled that SMS OTP alone is insufficient for high-value transactions. SEBI’s cyber security circular explicitly recommends moving to phishing-resistant authentication for critical financial services.

Yet the default for most Indian services remains: password + SMS OTP. It is the lowest common denominator, and attackers have learned to exploit it at scale.

The Conceptual Shift: From Shared Secrets to Device-Bound Keys

All current authentication methods — passwords, OTPs, even TOTP codes — rely on shared secrets. Something the user knows (a password) or something the user receives (an OTP). Both can be phished because both involve information that passes through a channel the attacker can intercept.

The shift is to device-bound cryptography. Instead of a shared secret, the user’s device holds a private key. The service holds the corresponding public key. Authentication happens through a cryptographic challenge-response — no secret ever travels over the network.

This is what FIDO passkeys provide.

A passkey is a cryptographic key pair generated on the user’s device. The private key never leaves the device. To authenticate, the user unlocks the key with a biometric (fingerprint or face) or device PIN. The service validates the signature using the stored public key.

There is no password to steal. No OTP to intercept. No shared secret to phish.

How Sovio MultiAuth Enables This

Sovio MultiAuth implements FIDO2 and WebAuthn standards for passwordless, phishing-resistant authentication.

The experience is simpler than passwords, not harder:

1. A user registers on a service. Instead of creating a password, they create a passkey — typically a biometric prompt on their phone or laptop.
2. The passkey is synced across the user’s devices via platform providers (iCloud Keychain, Google Password Manager, etc.), so they are not locked out if they lose a device.
3. To log in, the user presents their biometric or PIN. The device performs cryptographic authentication with the service. No password field, no OTP field.
4. For existing systems, MultiAuth can be layered as an additional factor alongside existing authentication, enabling a gradual migration.

MultiAuth supports cross-platform authentication — web, iOS, and Android — so users get a consistent experience regardless of device. Enterprise plans include custom access policies, SSO/SAML integration, and self-service credential management.

Who Should Care

• Banks and fintech platforms where account takeover directly results in financial loss. SEBI’s guidance on phishing-resistant MFA makes this a compliance issue as much as a security one.
• Enterprise IT and security teams managing workforce authentication. Passkeys eliminate password reset costs — a major operational expense — while preventing credential-based attacks.
• E-commerce and marketplace platforms where account takeover leads to fraudulent transactions and chargebacks.
• Gaming and social platforms where credential theft is rampant and user trust is fragile.
• Any service that currently relies on SMS OTP and is looking to upgrade its security posture.

The Bottom Line

Passwords and OTPs have been the default for three decades. They are no longer fit for purpose. Attackers have invested heavily in bypassing them, and they have succeeded.

FIDO passkeys are not a marginal improvement. They represent a fundamental change in how authentication works — from shared secrets to device-bound cryptography. The standards are mature. The platform support (Apple, Google, Microsoft) is universal. The regulatory direction is clear.

The question is no longer whether to move to passkeys. It is how quickly your organisation can get there.

Sovio MultiAuth provides FIDO2 passkey authentication for web and mobile. Book a demo to see how passkeys can replace passwords and OTPs in your application.