The one-time SMS passcode has been the most important customer authentication tool for over a decade. Now change is in the air – all thanks to secure, cheap and fast alternatives such as data verification and flash calls. Lee Suker, head of authentication at Sinch, examines the implications.
During the pandemic, many millions of consumers received the following text for the first time: ‘here is your security code, do not share it with anyone’. Each year, companies send billions of these authentication messages. They have good reasons for that. Two-factor text access codes (SMS OTP) provide a reliable way to onboard a customer’s phone number and give almost everyone on the planet access to two-factor authentication.
The combination of “something you know” (your username/password) with “something you have” (owning your phone, verified by correctly entering the OTP code) makes it much more difficult for fraudsters to transfer your online accounts. to take
So why did volume increase during the COVID period? In a socially distanced world, many people switched to digital services for the first time. In order to shop, bank and access government services remotely, these novice consumers had to prove their identity remotely. The best way to do that? Sign up with a two-factor text.
Industry data shows just how big this growth is in business-to-consumer messaging. According to the trade association MEF, 89 percent of consumers now receive regular text messages from brands – with most receiving two to twenty a week. Meanwhile, industry analyst Mobilesquared says a million businesses tried mobile messaging for the first time in 2021.
Sure, companies text for all sorts of reasons: marketing, customer service, alerts. But authentication is the primary use case. In fact, passcodes could account for about 20 percent of all business SMS traffic.
View more: Viewing data security through the lens of human impact
The phone in your hand versus the password in your head
To understand the meteoric rise of this authentication technique, you need to understand what has replaced it. Ten years ago, most people logged into online accounts with a username and password. This was (and still is) a very flawed process. Bad actors can steal these bits of personal information quite easily via social engineering or phishing. They can even buy databases of stolen passwords on the dark web.
Passwords don’t work well for consumers or. People are told: use a different password for each service. Make it really long and complicated. Never share it. And definitely don’t write it down.
Understandably, most ignore this advice, no matter how sensible and well-intentioned it is. Instead, they do the opposite. They choose simple passwords, which they use for multiple accounts.
As we discussed earlier, one-time SMS passcodes provide a much more secure and user-friendly option. But not a perfect one. Over time, fraudsters figured out how to crack the method.
The most common form of attack is smishing (SMS phishing). here the fraudster sends a text message that appears to be from a trusted source to trick recipients into clicking a link. The fake link then downloads malware to the target smartphone emaking the criminal perform a man-in-the-middle attack (intercepting the OTP, passing the code to the criminals without the user’s knowledge). Intercepted OTPs are then used in conjunction with stolen passwords to access private accounts.
Historically, the online industry has tried to mitigate this particular problem by educating end users…..don’t click that link!
Another attack method is SIM swapping. Here, the attacker poses as an MNO customer and uses social engineering techniques to persuade a telco call agent to send a replacement SIM card for a lost/stolen phone. He or she can then receive OTP texts and change security details. These attacks are highly targeted and it is fair to say that MNOs have developed processes to prevent such incidents.
Mobile authentication: finally new options
Needless to say, the messaging industry is working hard to combat these abuses. For example, it has developed official sender ID registries and launched consumer education campaigns.
For these reasons – as well as the method’s widespread prominence – text OTP remains the default authentication choice of most digital service providers. But in the background the industry is devising alternatives. And now these new options are finally gaining momentum. Let’s explore the top two.
Data verification
Each phone has its own IP address and its own public number. Data Verification uses this unique combination to enable secure authentication in seconds. The process works by confirming that the phone number and IP address are the same in a given data session.
The technique is whole safe as it removes the social engineering risk of OTPs. Data verification also makes it nearly impossible for a scammer to perform a man-in-the-middle attack because of the speed of the authentication.
Call Flash
A flash call uses voice instead of text to authenticate a user. The company makes (through a messaging provider) an intentionally missed call to the target user from any number. The last four digits of the incoming number contain the access code that the consumer uses to authenticate. In the most advanced use case, the receiving phone (Android models only) automatically answers the call and processes the passcode without active user intervention.
Flash calling is very safe: the chance of ‘man in the middle’ interception by fraudsters is considerably reduced. But just as importantly, it’s cheap. Randomly generated IP calls cost very little to make (especially when not picked up by the recipient). In fact, we estimate flash calls could be at least 25 percent of the authentication costs. For any enterprise sending millions of SMS OTPs, this is extremely attractive.
In the end, user experience wins
While both of the above methods rank highly in terms of security and cost, there is a third reason for companies to consider them: user experience.
The importance of UX can hardly be overestimated. The success of any authentication process, no matter how secure or affordable, ultimately depends on consumers’ willingness to use it.
The SMS OTP UX is pretty clunky. Think about it: a user has to wait for the code to appear, exit the application, open the messaging app, write down the numbers, return to the app, and then type. This is a problem in the online world, where the attention span is short. In fact, one 2020 research by Yubico found that 23 percent of respondents said SMS OTPs are very inconvenient, while 56 percent of those who use a smartphone or other personal device to access work-related items don’t use 2FA at all.
It’s also fair to say that while texting is clunky, it’s also well understood. Familiarity is a comforting concept for users. It follows that it is essential to get the best texting experience possible. In addition to delivering OTPs quickly, in some circumstances the operating system of the device automatically processes the OTP for the user without finding the message and writing down the code, for example.
F on the other handlash calls and data verification each offer an improved UX. They run in the background. In other words, they just happen without the user having to do anything.
Companies are finally waking up to their potential. But we don’t think this is the end of SMS OTP. Instead, it just increases the options.
It is a fact that companies need to assess the full range of authentication techniques and choose the right one most appropriate method for their use case: account logins, transaction approvals, logins etc. And it should be easy for them to do this. Now that communication channels have moved to the cloud, providers like Sinch offer one unified API to cover all techniques. After all, it’s not just consumers who need good UX.
Do you think data verification and flash calls are faster and more secure authentication options? Share with us Facebook, Twitterand LinkedIn.
Image source: Shutterstock
