In a directive to banks, the CBI obliged all lenders to create the grounds for OTP services by the end of current Iranian month (May 21) or face penalties.
The regulator stipulates that the existing static passwords will be active only up to May 21.
It initially urged banks last September to put into operation the OTP plan within a month and stated that lenders would be held accountable for any loss incurred on clients after the deadline, Financial Tribune reported.
However, after many banks failed to create the necessary platform, the CBI was compelled to declare a deadline.
The one-time password, developed to address the shortcomings of static passwords, is a pass code valid for a single login or online transaction on a computer system or other digital devices and be discarded after 60 seconds.
This means that a potential intruder who manages to record an OTP that was already used to log into a service or make a transaction will not be able to abuse it simply because it will no longer be valid.
The main importance of OTPs is that, unlike static passwords, they are not vulnerable to replay attacks. An OTP is more secure than a static password, especially a user-created password, which can be weak or reused across multiple accounts.
A board member of Bank Melli Iran says the bank has developed an application dubbed "60” to offer both the first and second passwords as a one-time password for one minute. The application can run offline without the need for internet.
Currently more than 80% of bank transactions are online.
Lagging Behind
Despite the CBI deadline, there are banks that say they cannot offer the services for now due to software and infrastructure drawbacks. Some have asked for time from the CBI, IRNA reported.
Some banks provide OTP services on their own software and oblige applicants to install the same. This is to encourage them use other services available on the software.
This is while most clients have accounts in more than one bank and obliging them to install multiple e-bank software would indeed be a hassle.
Moreover, there are people and clients who don’t have smart phones to run the application or simply cannot use the application.