Why Banks Can’t Rely on One-Time Passwords Anymore

Banks are confronting a difficult reality: the one-time password, once treated as a reliable safeguard, is no longer sufficient to protect accounts in an environment shaped by automation and deception.

Schalk Nolte, CEO of Entersekt, made clear that the industry has long understood the limitations. “This is not new,” he said, noting that warnings about one-time passwords (OTPs) date back more than a decade.

What has changed is not the core weakness, but the intensity of its exploitation. “The major difference that we’re seeing now simply is the scale of the attack rather than the sophistication,” Nolte said. Bots can cycle through stolen credentials and repeatedly attempt logins until they can intercept or elicit a code.

A control that may have been adequate in a lower-volume threat environment now faces continuous pressure. The same vulnerabilities persist, but they are exercised far more frequently.

Why Banks Still Depend on OTPs

Despite these limitations, one-time passwords remain embedded in many authentication flows. Nolte attributed that persistence to operational convenience.

“It’s easy to deploy,” Nolte said, adding that an OTP requires little from the customer beyond a mobile number.

That simplicity aligns with long-standing priorities around user experience. Institutions do not need customers to download applications or complete enrollment steps. In many cases, the process is immediate and familiar.

Cost also plays a role. OTP systems are inexpensive relative to more advanced authentication methods. For smaller banks and credit unions, the balance between cost, usability and security often leads to continued reliance on these tools.

Yet that balance introduces trade-offs. As institutions add more authentication prompts to compensate for risk, customers encounter repeated challenges that can diminish attention and trust.

Fatigue Weakens the Signal

Nolte pointed to a growing problem with overuse. The effect is a form of fatigue. Authentication requests lose their significance when they appear too frequently. Customers begin to respond automatically rather than thoughtfully, which undermines the purpose of the control.

This environment creates openings for fraudsters who rely less on technical exploits and more on persuasion.

Social Engineering Moves to the Forefront

According to Nolte, social engineering has become a primary method for bypassing OTP-based security. “Social engineering is unfortunately … something that gets past all of these things,” he told PYMNTS.

These attacks do not require breaking encryption or intercepting messages. Instead, they rely on convincing customers to share codes directly. The method exploits trust rather than infrastructure.

Nolte described a case in which a fraudster posed as a bank employee conducting a test. The customer was told to read back a one-time password to assist with a security check. “A couple of hundred thousand dollars later … it wasn’t a test,” he said.

The example underscores a broader weakness. When authentication depends on user cooperation without clear context, it becomes vulnerable to manipulation.

Making Authentication Context-Aware

To address these gaps, Nolte argued that institutions must move beyond static challenges and introduce intelligence into the process. “Make your dumb authentication smart,” Nolte advised.

The goal is to evaluate signals surrounding each interaction, including behavior, location and device characteristics. Authentication should adapt based on risk rather than apply uniformly across all transactions.

This approach allows banks to reduce unnecessary friction while focusing attention where it matters. Instead of prompting every user for every action, systems can escalate only when anomalies appear.

Nolte emphasized that there is no single solution. Different authentication methods address different risks, and institutions must combine them in a coordinated framework.

Layering Defenses Without Disrupting Customers

Entersekt’s approach, as described by Nolte, centers on integrating intelligence into existing authentication stacks rather than replacing them outright. The aim is to preserve the familiar user experience while improving decision-making behind the scenes.

“We plug into your authentication stack and make your  authentication stack smart,” he said. That includes incorporating behavioral analytics and broader data signals to identify suspicious activity.

The analogy he offered reflects the shift. Traditional systems resemble a generic alarm that signals a problem without identifying its cause. More advanced systems specify what is happening and how to respond.

This layered model also allows for gradual adoption. Banks can begin by enhancing existing controls and then introduce additional methods, such as passkeys or biometrics, as needed.

A Shift in How Banks Think About Security

The persistence of OTPs reflects a broader tension between convenience and protection. As fraud tactics expand, that balance is becoming harder to maintain with static tools.

Nolte framed the path forward as an incremental process that prioritizes intelligence and context. “Take what you have and augment this with something that provides intelligence,” Nolte told PYMNTS.