Can One Time Password Ensure Security in E-Commerce

Can One Time Password Ensure Security in E-Commerce

Author: Gusti Made Arya Sasmita, Henrico Aldy Ferdian

The COVID-19 pandemic changed many people's attitudes today. One of them is that conventional shopping habits are replaced by online shopping which is often known as e-commerce. Shopping online is starting to become a lifestyle for its own people, because it is more practical and there are many choices of goods with various categories in one location. The question now is how safe the transaction process is if it is done online.

With the increasing number of e-commerce users in Indonesia, security in making transactions in e-commerce is certainly one thing that really needs special attention. One layer of security in transactions in e-commerce is what we usually call an OTP or one that has an extension of One-Time Password. OTPs are generally sent via SMS to mobile numbers that we connect to e-commerce accounts, which are only valid for a few minutes duration. Then, we enter the OTP code in the message so that we can continue the transaction process. If you exceed the time limit, then we must request a new OTP code. For some people this process is a bit difficult. However, with this OTP, users do not need to be alarmed if there are other people who want to take certain actions on their accounts. Then, how does the work of OTP can increase the security of transactions in e-commerce?

OTP codes can be created based on mathematical formulas, time, location, or a combination of these three elements. OTP was created based on these elements to ensure differences in OTP codes received by various users at one time. OTP used in this implementation is OTP based on time and location. Time and location-based OTPs can generally only be implemented if the user uses a device that has a GPS (Global Positioning System) module. There are certain conditions that allow the implementation of this type of OTP without the GPS module on the user's device, such as the case where the device is connected to the internet via wifi that has location information.

As we know, OTP codes are generally sent via SMS to the user's mobile device. Most cellular devices are now equipped with a GPS module, which helps get accurate locations from mobile devices. On location and time-based OTPs, before creating codes, e-commerce applications will first retrieve information such as IMSI (International Mobile Subscriber Identity, 15-digit unique codes that are on the mobile operator's card chip), location, and time synchronization from the device users used to conduct transactions or request OTP codes. Then, the server will generate a unique OTP code based on the calculation of the user's time and location elements. Furthermore, the OTP code will be sent through certain media such as SMS, so users can authenticate to their e-commerce account using the OTP code that has been given (Hsieh and Leu, 2011). Location and time-based OTP has a fairly high level of security, because authentication will only succeed if the location and time of the user requesting the OTP code match the location and time of the user who entered the OTP code. Therefore, this type of OTP needs to predict location and distance tolerance from the prediction point, if the user making an OTP request is moving. If you want to find out more in-depth information about how OTP works based on location and time, you can access the references in this article.

OTP has a fairly high level of security and can increase security guarantees in transacting in e-commerce. However, OTP requires additional mechanisms in the process of creating and activating OTP tokens, to ensure that the user is valid. This mechanism is quite complicated when compared to ordinary password-based authentication systems. However, security guarantees remain an important part that must be considered in conducting online transactions.

Reference:

Hsieh, W. Bin and Leu, J. S. (2011) ‘Design of a time and location based One-Time Password authentication scheme’, in IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference. doi: 10.1109 / IWCMC.2011.5982418.