Authenticating any identity – human or non-human – requires a layered approach of multiple technologies and protocols. Getting the layers right for your organisation requires a good understanding of how the different methods of authentication work and their comparative strengths. As the methods of authentication grow and evolve, however, keeping track of how they best work together can be challenging.
To help keep the picture clear, in this blog we are examining the differences between OTP authentication and our own endpoint authentication protocol, Authentikey. We’ll look at how each one works, and how they can complement each other to create a strong authentication layer that’s proof against quantum attacks, addresses concerns around artificially inflated traffic, and more.
What is OTP?
OTP stands for One Time Passcode. An OTP system generates a passcode valid for one session, which is sent to the user so they can access the service or system they are trying to communicate with. There are a few different ways the system can be implemented:
- Most commonly, a single OTP is generated and shared with the user via another channel – typically SMS, but email and WhatsApp are also used.
- OTPs can also be generated using a physical token synchronised with the service the user is trying to access. The most famous example of these is arguably the RSA SecurID.
- OTPs can also be shared in the form of soft tokens – the codes in an authenticator app that change every 60 seconds are an example of this.
OTPs are very widely used, with SMS being one of the most popular methods of sharing OTPs with users.
What is Authentikey?
Authentikey is the world’s first Continuous Trust Verification Protocol. It enables mutual endpoint authentication using identical private ledgers of key exchanges, based on a wide range of initial trust anchors.
Each time two endpoints interact, a new key pair is generated and stored in each endpoint’s ledger. Then a two-way challenge is initiated, which requires each endpoint to have the key being generated, and the last key generated.
Organisations can use Symmetrikey, ML-KEM, or ECDH keys with Authentikey. If using ML-KEM or Symmetrikey, then Authentikey is a quantum-safe authentication solution – and it’s easy to switch between key types, enabling crypto-agility and making the migration to quantum-safe authentication smoother.
Strengths of OTPs
OTPs main strength lies in their ease of implementation – they are well-established technology that can be implemented in a number of ways. SMS distribution, particularly, is ubiquitous, making it possible to authenticate anyone who has access to a mobile phone regardless of how basic, and even with low network strength.
Additionally, the algorithms used to generate OTP codes are generally based on symmetric key generation, and as such are considered quantum-safe. This means that the risk of an attacker being able to compromise the system generating your OTPs, in order to generate their own OTPs successfully, is low.
Compared to regular passwords, OTPs are a stronger form of security as they don’t remain usable for long – so if an attacker recovers one, they can only use it for one session (though of course they could do considerable damage in that session).
Limitations of OTPs
The weak link in any OTP system is the transmission of the code to the user. Though there are efforts to improve the security of this transmission via the use of time-based OTPs delivered via authenticator apps, many OTPs are still delivered by SMS. This introduces several vulnerabilities:
- The SMS will likely be routed through several different providers as it travels from the issuer to the user; each one represents a weak spot where an attacker could intercept the SMS. Not only does this increase the size and number of attack vectors for fraudsters (which could also include employees of SMS suppliers) to target, it also poses further concerns over data privacy and governance.
- The OTP is stored in plaintext; once the attacker has intercepted the SMS, they can simply read the OTP and use it.
These issues make OTPs shared using SMS highly vulnerable to man in the middle attacks.
On top of the security issues, SMS-based OTPs have commercial challenges to overcome. Generally speaking, OTPs are charged at a unit cost – so the more sessions you authenticate, the more OTPs cost. This structure can put some organisations off authenticating more sessions than they have to, leading to infrequent authentications and security gaps.
The price of SMS, too, has soared in recent years. Leading industry analyst Mobilesquared notes that the average cost of an internal A2P SMS in 2025 is $0.10059. This is an increase of 303% since 2021, with costs for some countries now stand at as much as €0.25 per message. With pricing increasing dramatically at regular intervals, enterprises are looking for authentication channels with more stable costs.
Of perhaps more concern, enterprise brands lost $1.06B when choosing A2P (application-to-person) SMS due to AIT (Artificially Inflated Traffic). Mobilesquared predicts that “Smishing is expected to be the fraud type that will potentially cause the most damage to the (SMS) channel in the coming years,” highlighting major security concerns for both enterprises and consumers when SMS is the primary channel for MFA.
Strengths of Authentikey
Authentikey’s key strengths compared to OTP lie in the strength of security it offers. Unlike OTP, the Authentikey process is encrypted, so even if an attacker were to intercept the messages in the exchange they would be unable to do anything with them. Additionally, Authentikey contains man in the middle detection capabilities that ensure the system would very quickly identify the breach so that the communication can be aborted.
Authentikey is also a mutual authentication protocol, meaning that both parties verify the other by forcing them to answer a challenge that requires access to the identical private ledger keys. This makes Authentikey a great complementary layer to tools such as OTPs, enabling the user to verify that they are dealing with a genuine organisation, and enabling the organisation to verify that they are dealing with a genuine customer, with OTPs providing an additional layer of verification. It’s feasible that Authentikey can even help identify whether an OTP has been requested by a fraudster attempting to hijack a user’s account, if they are using a different endpoint.
Ultimately, Authentikey provides consumers with much greater protection against phishing (or smishing, if comparing with SMS-based scams).
In commercial terms, Authentikey also opens up new opportunities. We are discussing with partners what commercial models are most appropriate, but we are anticipating that we can enable pricing that makes it cheaper for customers to authenticate their consumers, while also making authentication more profitable for the OTP providers. Authentikey has the potential to transform the costs of user authentication, without adversely affecting margins.
Limitations of Authentikey
Authentikey does require an additional authentication method to be used the first time that two endpoints communicate, to act as the root of trust. That could be a CA, Trust on First Use, or another method. But once that has been done, that root of trust is never referred back to – every reauthentication is done using the identical private ledgers, unless a serious breach were to occur.
The only other consideration is that Authentikey is new technology – we are currently in beta testing. However, At Cavero Quantum we are passionate about forming deep partnerships with security providers and message aggregators offering OTP services to help us co-create products and solutions using Authentikey. Our team is wholly focused on Authentikey and our key exchange protocol, Symmetrikey, meaning we can respond quickly to new developments and continually optimise our product.
In this sense, Authentikey’s newness is less a weakness and more of an opportunity for forward-thinking organisations to help shape the next generation of authentication services.
Comparing Authentikey and OTPs
| Authentikey | OTPs | |
| Basis of security | Key exchange – either Symmetrikey, ML-KEM, or ECDH | For key generation: a variety of algorithms – many based on HMAC For key transmission – variable, often none! |
| Type of identity verified | Machine/non-human identity | Human identity |
| Infrastructure | Software-based | Software-based, but codes can be transmitted via SMS network. |
| One-way/mutual? | Mutual authentication | One-way authentication |
| Level of security | Quantum-safe (computational security, if using Symmetrikey or ML-KEM) | OTP generation algorithm – quantum-safe (computational security). Transmission layer – variable. SMS insecure, WhatsApp more secure. |
| Complexity | Medium – software-based. | Low – especially if using SMS. |
| Computational demand | Low | Low |
Which is better: Authentikey or OTP?
As we said at the start of this blog, authentication is a game of layers. There isn’t one solution that handles everything (and you should be wary of anyone telling you otherwise). Both Authentikey and OTPs have strengths that complement each other.
The ubiquity and ease of SMS implementation mean that in many cases OTPs will remain a strong contender for authentication, especially in areas where establishing a key using IP channels isn’t possible. But by complementing that with Authentikey, which can validate the endpoint inputting the OTP and the endpoint requesting the code to each other, the inherent security flaws in SMS can be mitigated. This creates a vital additional layer of security that helps protect against social engineering fraud and account takeover.
Get Beta access to Authentikey
I hope this article has helped you assess the value of Authentikey in your authentication stack, and how it can complement OTP authentication by providing highly secure mutual endpoint authentication.
Authentikey is available in Beta, and we are interested in talking with organisations interested in helping us refine and optimise Authentikey in real-world applications. To discuss getting access to the Beta, fill in the form below and we’ll be in touch.