[T]OTPs are not as secure as you might believe

The presentation discusses various methods to improve authentication security and prevent attacks, including reducing the number of attempts, not disclosing if the OTP or password is wrong, and using special solutions like UV keys and push authentication.

• Reducing the number of attempts to log in can make it more difficult for attackers to use credential stuffing.
• Not disclosing if the OTP or password is wrong can also make it more difficult for attackers.
• Special solutions like UV keys and push authentication can improve security, but may not be feasible for all users.
• Other methods like JavaScript validations and knowledge questions can also be used to improve security.

The speaker mentions that many websites lower their defenses to allow users to log in more easily, even though this increases the risk of fraud. He also suggests using direct carrier billing as a more secure alternative to traditional two-factor authentication methods.

You likely receive OTPs (one-time-passwords) all the time, usually in the form of an SMS with a 4 to 8 digit code in it. Pretty common when you sign-in (or register) to Uber, your bank (usually as a second factor), Whatsapp, etc. The most adopted OTP size is 6 digits, and we just accept that it's hard to guess, after all its 1 in a million chance, and it's valid just for a few minutes, and leave it there. A few paranoid folks might wonder, what if get a new OTP after the first one expire, they may assume it's another 1 in a million chance, and continue with their life. The truth is that when you calculate the actual chance of guessing an OTP one after the other, the odds are NOT 1 in a million. You will be surprised how the probabilities of guessing spiral once you start thinking of brute forcing OTPs one after the other, and what about parallelising the brute force among different users, the surprise is even bigger.