Two research teams — one at the Indian Institute of Science (IISc) and another linked to DRDO — have announced a promising new approach to reduce OTP theft and related fraud. Here’s a quick, user‑friendly breakdown of what this means and how it helps you stay safer online.

1. What’s the problem with OTPs today?

OTPs (one‑time passwords) are widely used for bank logins, payments and account recovery. But attackers steal OTPs via:

· SIM‑swap and SS7 attacks

· Phishing pages and fake apps that ask for your OTP

· Malware/keyloggers that read SMS or capture on‑screen codes

2. The new idea — layered verification + hardware trust

Instead of relying solely on a single SMS/code, the new approach combines short‑lived OTPs with a second trusted signal — for example:

· a device‑bound cryptographic token (secure element / Trusted Execution Environment), or

· a secure on‑device attestation that proves the request originates from your legitimate device/app.

That means even if an attacker gets your SMS OTP, they cannot finish the transaction without the second proof the attacker doesn’t have.

3. Why this reduces OTP theft

· No single point of failure: Stealing SMS alone isn’t enough.

· Phishing resistant: Fake pages can capture codes but cannot forge device attestations.

· Less reliance on SMS: Encourages app‑based verification that’s harder to intercept.

4. How banks and apps may adopt it

Financial institutions and app developers can integrate the system by:

· Using on‑device cryptographic keys (available on modern smartphones)

· Requiring attestation for sensitive operations (high‑value transfers, password resets)

· Falling back to multi‑factor checks (biometrics + OTP) for suspicious transactions

5. What this means for you — the user

· Expect fewer SMS‑only verifications for high‑risk actions.

· Apps may ask you to use the official mobile app instead of web/SMS flows.

· You’ll see prompts like “Confirm on your device” or biometric approval alongside OTP.

6. Limitations & practical caveats

· Older phones without secure hardware won’t get full protection.

· Adoption depends on banks, payment apps and regulators updating their systems.

· It strengthens security but doesn’t replace good habits (phishing vigilance, device hygiene).

7. Safety checklist — what you should do now

· Use official bank/payment apps (not web links from SMS).

· Enable app‑based approvals and biometrics where available.

· Keep OS and apps updated so device‑level protections work.

· Never share OTPs, even if someone claims to be “bank support.”

Bottom line: The IISc–DRDO work points to a future where an intercepted SMS alone can’t let crooks drain your account. As banks roll out device‑attestation and app‑based second factors, OTP hacking will become much harder — but you still need to practice safe habits today.

Disclaimer:

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any agency, organization, employer, or company. All information provided is for general informational purposes only. While every effort has been made to ensure accuracy, we make no representations or warranties of any kind, express or implied, about the completeness, reliability, or suitability of the information contained herein. Readers are advised to verify facts and seek professional advice where necessary. Any reliance placed on such information is strictly at the reader’s own risk.