Khaled Alissa

December 31, 2023

OTPs

  • Used in phone number logins
  • Used in 2FA flows
  • Used to confirm sensitive transactions (e.g. bank transactions), in which case the OTP MUST NOT be shared. 
  • Used to confirm actions taken on your behalf (e.g. confirming a package delivery), in which case the OTP MUST be shared. 
  • Sent from 2nd or 3rd party orgs, with context describing the pending action, and occasionally without one (e.g. car rental otp)
  • Used through the phone’s autofill feature, that encourages not reading the accompanied text. 
  • Rendered on sms clients that are out of touch.
  • have become the most sensitive piece of information requested in a social engineering attack. 


The prevalent use of OTPs by businesses in various scenarios and use cases has made the sharing of OTPs by customers feel natural. 
 
Targets are often blamed if they share their OTPs, just know they are fighting an uphill battle every time.