One-time passwords (OTPs) secure your business against the growing security threats in Southeast Asia (SEA). Discover best practices and how to get started with OTPs in this post.

Trying to improve your business’s security posture is critical in today’s digital ecosystem. 84% of Southeast Asian companies are hit with DDoS attacks every year, and thousands of those businesses have confidential files stolen by threat actors. Given that the majority of Southeast Asian consumers are concerned about their private information being hacked, businesses that experience cybersecurity breaches incur massive reputation damage and suffer significant profit loss.

But there’s a problem. Southeast Asian businesses account for 35.9% of worldwide cybersecurity events, making SEA the most significant region on the planet for threat actors. Luckily, creating a better security posture can start today — and it can start with mobile phones. One-time passwords can help secure your business against the growing security threats in SEA.

What is an OTP?

A one-time password is an automatically generated password containing unique sets of numbers and letters that can be used for a single instance. So, you can send an OTP to an employee every time they try to sign into a SaaS system, or send one to customers each time they attempt to sign in to your application.

OTPs are significantly stronger than user-created passwords. They can’t be shared across multiple devices, they contain a random string of numbers and letters, and they only last for a limited time on a single sign-in instance. An OTP can be used in conjunction with other security measures to reduce security friction and improve your overall security posture.

Typically, many companies send OTPs as part of their two-step authentication system. These systems will have users input their self-created passwords AND a one-time password that is sent either via SMS or voice.

OTP best practices

Let’s discuss some of the best practices for businesses looking to utilize one-time passwords to improve their security posture.

How long should one-time passwords be?

The character length of passwords is important, but there isn’t a reasonable consensus on how many characters make a password “secure.” Some researchers claim that passwords should be over six characters, while others claim that they should be 16 or beyond to be classified as secure. But, the length isn’t as important when it comes to two-factor authentication. Here’s why.

Let’s say we use an eight-character OTP password. Even if someone randomly inserted every character in every order in an attempt to crack it, it would take over 5 hours. But that’s only if it was using an extremely simple string of characters (e.g., “abcdefgh”). If you blend numbers into that pattern, it would take months, if not years.

How long should my OTP work until it expires?

When you send OTP tokens to your staff or customers, you should expect to expire those tokens after a certain length of time. We recommend expiring your OTP after two minutes. However, if you need to extend that time limit, you should always increase the character length and character complexity of your passwords. This helps prevent dictionary attacks and keeps your systems secure.

Ideally, you should work with an OTP API vendor who sends passwords on a secure network with high speeds. These high speeds can make requesting new passwords pain-free for customers who let their OTP expire.

Should I use SMS or voice to power my OTP?

When it comes to sending an OTP, both voice and text are equally valuable (in terms of security). In today’s mobile ecosystem, cloud-based systems that support voice and text via sophisticated APIs are easy to implement and extremely user friendly. The 8x8 SMS API is used to share over two billion messages yearly, many of which are OTP messages.

There are tangible benefits to both voice and SMS for business, and the solution you choose will depend on your business needs.

SMS is preferred by some for a few reasons:

  • OTP SMS messages are discreet and provide a convenient user experience.
  • Passwords may be synced automatically into applications.
  • SEA customers generally prefer SMS over voice services.

Others prefer voice due to different considerations:

  • Voice is better for customers who don’t have access to a smartphone.
  • Voice calls may be more accessible for certain types of customers, due to disabilities or texting capabilities.

For most businesses, blending both solutions is an easy way to tap into the full benefits of OTPs.

There is also a third option for your OTPs: push notifications. While push notifications are often cheaper, they rely on shared infrastructure.

Do OTP messages need dedicated routes?

A good OTP API provider will give you dedicated, high-quality SMS routes that prioritize OTP traffic and ensure that over 99% of OTP messages get to your user.

You should always make sure that your OTP provider gives you a dedicated route. Without this dedicated route, you may suffer from missed notifications/SMS messages and failed deliveries.

How do you automatically generate OTP codes?

With 8x8's SMS API, you can automatically generate and send OTP passwords for your applications. Whether you need to secure your on-site SaaS apps or you want to reduce threat actor attack vectors on your latest consumer-facing app, we can help you improve security practices for your business with dedicated OTP SMS routes and an easy-to-configure cloud API.

Are you ready to improve account security for your business without breaking the bank? Talk to us!