Evolution of an OTP nation
While the technology has its flaws, telecom companies that deliver these OTPs are at work to upgrade all networks across India to 5G
It is unlikely that mathematicians at work to develop the algorithms to create One Time Passwords (OTPs) in the 1940s would have imagined over a billion OTPs being delivered every day as text messages across Indian telecom networks. The mathematicians may not even have imagined how it would be delivered. Or that it would be used to authenticate people’s identities across domains as diverse as banking to travel, ecommerce deliveries, cinema tickets, even cab rides and much else.
While the technology has its flaws (and these are now showing up), the telecom companies that deliver these OTPs are at work to upgrade all networks across the country to 5G from the existing 3G and 4G networks most people use. Even as they do that, work is in progress to create the blueprints for a 6G world. But it is impossible to miss the confidence in the voice of a veteran who has worked at most telecom companies (telcos), witnessed the industry evolve from close quarters, and is now employed at Jio to oversee large parts of the company’s operations in North India.
“Realistically speaking, it will take between 7-10 years to phase OTPs out of India,” he says.
“And what’s the best-case to phase OTPs out?”
“Nothing less than 5 years.”
His confidence in the longevity of how long OTPs will continue to stay in India, it appears, isn’t misplaced. Manoj Menon, CEO and founder of Twimbit, a Singapore-based technology advisory and research firm that works with telcos world over makes the case that OTPs are embedded in the Indian psyche. His experience is that “India is a trust-deficit society and OTPs fill the gap.”
That is why, Menon goes on to explain, over time, OTPs have spilled across from banking where it was first implemented to authenticate transactions to other industries. To highlight his case, Menon points to taxi-ride hailing apps such as Uber and Ola, that now use it.
These apps send users an OTP to be shared with drivers at the beginning of a ride. This practice, he says, is followed only in countries such as India and Indonesia, for instance. It is unheard of in many other parts of the world, such as Singapore, North America and Western Europe, which he calls ‘high-trust societies.’ Even banking transactions there do not require OTPs.
That makes CN Ram uncomfortable.
A brief history of OTPs
CN Ram is among those who worked to build the digital avatar of the banking and fintech ecosystem in India. He is 66 now and is at work on a start-up to build a core banking solution. In his earlier avatar, he was CIO of HDFC Bank.
Some accounts in the public domain have it that the first OTP by an Indian bank to authenticate a transaction was implemented under Ram’s watch. There are other versions—some have it that the first OTP was delivered by the State Bank of India to a customer; while yet others claim it was ICICI Bank. Then there is the question of which telecom company sent the first OTP. Most versions have it that it was Airtel. When the CIOs from all these entities were contacted, no one authenticated who was the first past the post. All of them, Ram included, are unwilling to take credit for who implemented it at banks first. As for the telcos, no one recalls if it was Vodafone India, Airtel or some other company that delivered the first OTP. Jio was still on the drawing board and in another avatar.
“Those were heady days and all of us were at work to implement Two Factor Authentication (2FA) into the retail banking experience. There was so much happening,” says Ram. That is why, he says, no one cared or kept records of who sent the first OTP because everyone across banks, was in conversation with each other and stakeholders such as telcos to make it happen. “Banking is a fiduciary responsibility, and it is our responsibility to protect people’s money.”
Back then, ATMs were making its appearance in India and internet banking was gaining traction. And with that, scamsters were all over the place, thinking up ingenious ways to defraud people. To get around it, HSBC Bank, for instance, provided its customers with a device. When a button on it was pressed, the device would display a six-digit number that had to be punched online to complete a transaction. This was very similar to the how OTPs were thought up by the original creators. But devices such as the ones HSBC provided had to be carted around and people often forgot them at home when they needed them at the office – or vice versa.
Much brainstorming between all stakeholders later, OTPs sent as text messages over cell phones appeared to be the most elegant way to get the job done. And so, in 2009, the Reserve Bank of India (RBI) issued a diktat that all banks implement 2FA via cell phones. The data had it people were buying more phones and it was clear usage would go only upwards.
This is corroborated by Deepak Maheshwari, a New Delhi based public policy professional. “In the initial days, there was resistance and user apathy,” he says. “But now, things have come to a point where even entities such as social media companies use it to authenticate the identity of their users by sending OTPs to people’s phones and emails,” he says. With the benefit of hindsight, the data has it that implementing OTPs at such staggering scale reduced banking frauds. This is clear when the volume transactions are extrapolated to the similar volumes in other parts of the world.
The mathematics of OTPs
Is it possible that the volumes of these one billion plus OTPs each day choke telecom networks and lead to call drops? While Maheshwari is willing to buy the argument that networks in India are stretched, he is quick as well to point to the investments Jio and Airtel are ploughing in to augment the capacities of their network. “By next year, Jio will have an additional 2 lakh telecom towers and Airtel will have at least 1 lakh.” All these 5G-ready towers are intended to transition eventually to 6G.
“This means many Indians who are still on 3G will totally skip 4G and move straight off to 5G networks,” says Ram. There is much at stake for phone manufacturers and telecom operators here.
But why is an old (or outdated, if you will) technology such as the OTP still around in the contemporary world? And why do veterans in the industry believe it will be around for another 7-10 years? After all, there are risks inherent to OTPs in their current avatar.
Telcos have a vested interest in OTPs and the math puts it in perspective. An industry captain who did not want to come on the record put it this way: Technically, India has 1.2 billion mobile phone users, of which 600 million use smart phones. But there’s a twist to the numbers. Large numbers of people own 2 to 3 phones. So, while it is true that there are 1.2 billion phones, the actual population of people who have access to phones is between 600-650 million. Of these, between 250-350 million haven’t switched to smartphones.
His hypothesis is that large numbers of people still cannot afford to buy the more expensive 4G or 5G-ready handsets. What reinforces his hypothesis are the numbers. “We are selling at least 7-8 million non-data enabled handsets each month. These are replacement handsets for people who are already on the old network. So long as this market exists, the OTP will continue to be around.” And this market, will be around, until handset prices drop to affordable levels.
When Menon was asked to comment if there is merit in the math, he shared what he is a witness to. Telcos are at work to extract at least ₹300 out of each user. This is almost double the current Average Revenue per User (ARPU). But to get here, telcos will have to look at other ways to earn more. One way they are doing this now is to earn monies by selling text messages to enterprises in bulk to entities that feel compelled to send out OTPs.
In any which case, retail consumers have shifted their text messaging habit to other apps such as WhatsApp and Signal. Once upon a time, text messages used to earn telcos large monies. In the longer run, Menon says, “Most telcos will have to think up ways to earn anywhere between 20-30% of their revenues from non-telco lines of businesses,” says Menon. Until the time they get there though, they’ll keep the OTP revenue streams going.
When the veteran from Jio was asked to vet these numbers, he admitted that they were sound. That is why, he said, Jio is at work on a plan, which he claims “will be a differentiator and game changer.” The final contours of this plan, he claims, are being worked on by the top brass at Jio and they plan to implement it later this year. The insight they are working off is that the average Indian’s propensity to buy smartphones begins to look up only when the handset’s price drops below ₹15,000. Basis this number, Jio is tinkering around with two ideas: drop the price of a smartphone to below 15-20% of this magic number, which, the company believes will explode the market; and lease phones to those who don’t want to buy them (leasing drives sales of high-end handsets such as the iPhone, for instance, in markets like the US).
A spokesperson for Jio declined to comment. If this happens, it is possible OTPs get eradicated five years down the line.
And how will that happen?
While the math of OTPs makes for a compelling read from a telco’s perspective, there is another way to look at it: from the customer’s eye, points out Prasanto K Roy, a New Delhi-based technology policy analyst. “Telecom companies have got used to earning revenues by selling OTPs. But what about clients who pay for it? They’re beginning to ask if it is getting expensive?” To highlight the case, he points to Twitter after the company’s takeover by Elon Musk.
Earlier, 2FA on Twitter could be done by text messages as well. But after Musk implemented his cost-cutting exercise, one among the things that got the axe was 2FA via OTPs sent as a text message. He reasoned the cost of sending these messages were being borne by Twitter and unless a user was willing to pay for the service, it made no sense for the company to underwrite the cost. Since then, Roy says, others across the world have started to think along the same lines.
Then there are security holes that both Roy and Maheshwari are on the same page on when it comes to OTPs. “We are on the verge of moving into a more advanced digital world where even Aadhaar fingerprints can be robbed,” says Roy. Then there is the fact that people offer many applications (app) that reside on their phones the permission to ‘read’ their OTPs. But each time a user allows an app this permission, many don’t realise they are offering these apps the permission to read all their text messages as well.
How do know these apps will keep your data confidential? What if it goes rogue? For that matter, what if there is something about how it processes your data that you don’t know about? That is why, Maheshwari says “The ways OTPs work now are like putting a lock on your door and then offering the key to a thief.”
And when Ram thinks about it, his mind goes back to the early days when OTPs on telecom networks had to be implemented at the bank. They had to go out of their way to make things happen. There were frequent complaints of people not receiving OTPs. Then there were those who cloned SIM cards, spoofed other people’s identities, diverted OTPs, and stole money. It took them much to build a system and keep it well oiled. But the challenges have gotten more complex with the volumes of text messages going up.
This is why there is much work happening in the background to do away with OTPs. When the global landscape is looked at, the credit card ecosystem in ‘High Trust Societies’ evolved well without OTPs. But that was at a different point in time. The way fraud management analytics has evolved since then is significant and happens pretty much in real time.
To explain that Roy describes in detail what happens when anyone of us swipes a credit or debit card or withdraws money from an ATM. The systems have evolved to a point where it can detect what is a normal transaction basis an individual’s spending patterns in the past. If it notices any anomaly, the problem is escalated in 0.2 seconds to a human operator even as it places a call to the registered number to authenticate the transaction. That is why, he goes on to say, “If anything, he suggests it may evolve and exist as an app that is more secure.”
This is something Ram agrees with as well. When probed on what may it look like, he points to developments in other parts of the world. In China, for instance, biometric technology has evolved significantly enough such that people can wave their palm to make a payment. Then there is US. Pilots have begun at immigration counters of various airports that don’t require people to queue up and get their passports stamped. Facial recognition technology does the job instead. “A picture of you is intended to be your entry and exit stamp,” Ram says.
But, he adds, it will be a while before these technologies go mainstream world over. “Right now, I feel comfortable with the OTP,” he says, and laughs. And that is why the telco veteran from Jio is confident that “OTPs are not going anyplace soon.”