0

I've tried to find such a standard that mention the lifetime of SME OTP, however, NIST is no longer recommended using SMS OTP due to the risk involved.

Regardless of the security concerns, I still need to implement SMS OTP and would like to know the standard criteria in implementing SMS OTP. What should be the lifetime, How long should the user wait until he can request for another OTP, can the user request the same OTP again?

Kong
  • 35
  • 7
  • Interesting enough the NIST does not ban SMS anymore! While the draft of SP800-63B contained the sentence "OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance." in chapter 5.1.3.2, the released SP800-63B is again fine with OOB authentication (SMS).https://pages.nist.gov/800-63-3/sp800-63b.html I was also very puzzled, when I learned this. ... – cornelinux Sep 09 '18 at 19:15

1 Answers1

1

In case you really need to implement such a thing: Paypal still uses SMS OTP. They generate a new token every 5 minutes and will generate a new one upon request if I remember correctly.

From my point of view there is no reason not to do so. Your timespan has to correspond to other security measures (like rate limiting) to make sure the OTP is not guessable in that timespan. That's the only thing the timespan is really protecting from. That is because: if someone manages to carry out one of the other possible attacks (MITM on mobile network or attacking the mobile phone directly utilizing malware) every timespan that the user takes to input the key legitimately is sufficient to carry out the attack as well.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
Ben
  • 2,024
  • 8
  • 17