2FA involves deploying One-Time Passwords (OTPs) to end-users, for example, as part of their login procedure. It’s seen as a stronger security measure because, as well as entering their username and password, the OTP provides a second layer of authentication in order for users to verify that they are who they say they are.
There are a number of ways that OTPs can be accessed: from sheets of paper, often called “mTans” (mobile Authentication Transaction Numbers), generated by portable devices called “tokens” or finally, carried via an SMS. It is this last method – SMS-enabled 2FA – that has caught the imagination of companies such as Google, Facebook and Twitter in their efforts to protect customer’s accounts from unauthorised access and attacks.
With SMS-enabled 2FA, a user registers their mobile phone number when they set up their account. Then, when they attempt to undertake a security-sensitive action, for example: logging into their account, changing their password or completing a financial transaction, an OTP is sent to that mobile number to be used as part of the login and verification procedure. With the authentication of the OTP, the user is verifying that they are the rightful user of the mobile phone registered and owner of the account being accessed.
The benefits of this approach are clear: mobile phones are a truly personal device and consumers are more likely to have their phone to hand than a piece of paper or a special code-generating handheld. The speed and ease-of-use of SMS make it an essentially universal communications tool, ensuring that virtually every user will know and understand how it works.
Additionally, for service providers, SMS is relatively cost effective, making this approach financially attractive for most types of services. Intensifying the security benefits of OTPs is the fact that they are only valid for a single session and can be configured to be viable for a limited period of time.
The Perils Of SMS-Enabled 2FA
Research, “The Key to Effective Two-Factor Authentication”, illustrates the potential success of SMS-enabled 2FA, revealing that 90% of IT managers around the world are planning or considering to adopt the technology this year. However, the data also shows that it isn’t fool proof – between 11-20% of all OTPs aren’t delivered, with an almost 50% on average of those failing because an invalid mobile numbers was entered by the end user.
Why does this matter? Quite apart from the fact that it implies an unacceptable level of consumer inconvenience, service failures like this have deeper implications for consumer trust. A user who is unable to access their account because of a failed OTP will inevitably blame the service provider, diminishing the relationship with that brand. Moreover, given the sensitivity of online security related issues, a failed OTP could significantly undermine confidence in the integrity of security processes.
Ounce Of Prevention Is A Pound Of Cure
A few roadblocks to successful OTP delivery via SMS for authentication:
- A major cause of delivery failure is often invalid mobile numbers – this can be resolved through consumer education. When users know the importance of registering their mobile number accurately at the signup stage — and why they’re entering it at all — will prevent issues down the road.
- OTPs might not reach their destination because of technical reasons, some of which can be rectified with process transparency. Transparency in the OTP delivery makes service providers aware if a message hasn’t been delivered and in turn informs a customer that there is a problem delivering the OTP and the authentication process should be managed via other channels.
- Lack of pre-verification of the mobile number. 2FA providers can perform checks to make sure that the recipient’s mobile number is valid before an authentication OTP is sent. Not only can the provider inform the recipient of the delivery failure, it also reduces the cost of failed SMS sends and increases the success rate of conversions.
SMS-Enabled 2FA: The Future Of Online Security
Clearly SMS-enabled 2FA is never going to be the end-all and be-all for every online security woe, and there will always be situations to manage. However, one way companies can truly benefit from this type of authentication is to work with a provider that has a strong infrastructure and can offer real-time checks of mobile numbers to avoid One-Time Password failure.
Consequently, in the vast majority of use cases SMS-enabled 2FA offers a highly secure solution that can be easily understood by consumers and can be offered cost effectively. This combination of security, ease-of-use and price are three solid, well-balanced reasons SMS-enabled 2FA is becoming the most widely integrated security method and a clear contender for anyone looking to enhance their online security.