Why are digital tokens more secure than SMS OTPs?

One-time passwords (OTPs) sent via SMS have long been used for online banking authentication, but they come with significant security risks. Digital tokens are now replacing SMS OTPs in financial institutions, offering stronger authentication and better phishing resistance.

1. Device Binding
   Digital tokens are tied to a specific mobile device, ensuring that only the authorized user can generate authentication codes. This makes it impossible for attackers to steal or intercept an OTP and use it on another device.

2. Phishing Resistance
   SMS OTPs can be intercepted via SIM-swapping attacks or tricked out of users through fake banking websites. Digital tokens, however, operate within trusted banking apps and do not rely on manually entered codes, making them significantly harder to phish.

3. End-to-End Encryption & Cryptographic Authentication
   Digital tokens use public-private key cryptography. When a user attempts to authenticate, the banking server sends a challenge, which is signed using a securely stored private key on the device. The signed response is verified using a public key, ensuring only the legitimate device can authenticate.

4. Elimination of SMS-based Attack Vectors
   SMS OTPs rely on mobile networks, which can be hijacked, delayed, or intercepted. Digital tokens work independently of network providers, eliminating risks from carrier-based attacks.

5. Push-Based Authentication Instead of Manual Code Entry
   Many digital tokens use push notifications instead of displaying a code. The user simply approves a login request in their bank’s app, further reducing the risk of phishing attacks.

While digital tokens significantly improve security, they are not completely immune to phishing. Attackers may attempt to trick users into approving fraudulent transactions (also known as MFA fatigue attacks). This is where passkeys provide an even stronger alternative, as they prevent authentication on fraudulent websites altogether.

Singapore banks are leading the way in phasing out SMS OTPs in favor of digital tokens. However, passkeys represent the next evolution in secure authentication, offering true phishing resistance and a seamless user experience.