12.2 OTP, SMS, and Authenticator Apps
When cryptographic intent is signed directly, time-based codes and shared secrets become unnecessary.
Legacy OTP Model vs PTERI
| Category | Traditional Model | Problems | PTERI Replacement |
|---|---|---|---|
| Authentication Method | Time-based codes (TOTP/SMS OTP) | Code replay | Explicit cryptographic approval |
| Secret Model | Shared seeds between server and device | Shared secrets can be extracted or duplicated | No shared seeds |
| Telecom Dependency | SMS-based verification | SIM swap attacks | No telecom dependency |
| Session Authorization | Code proves temporary access | Does not prove specific intent | Single-use cryptographic challenges |
| User Experience | Manual code entry | UX friction, added failure modes | Local biometric gating |
| Security Model | One-time code validates login | Codes can be phished and reused within window | Intent is signed and bound to challenge |
Core Principle
"OTP becomes unnecessary when intent is signed."
When approval is cryptographic, explicit, and single-use, time-based codes add no security value.