Mobile Two-factor Authentication: Get Ready for the Next Phase
Are those ubiquitous four-digit text passcodes enough? What’s the future of two-factor authentication?
The one-time SMS passcode has been the primary tool for customer authentication for more than a decade. Now, change is in the air – and it’s all thanks to secure, cheap, and speedy alternatives such as data verification and flash calling. Lee Suker, head of authentication at Sinch, explores the implications.
During the pandemic, many millions of consumers received the following text for the first time: ‘here is your security code, please do not share it with anyone’. Every year, companies send billions of these authentication messages. They have good reasons to do so. Two-factor text passcodes (SMS OTP) provide a reliable way to onboard a customers telephone number and gives nearly everyone on the planet access to two-factor authentication.
The combination of ‘something you know’ (your userID/password) with ‘something you have’ (possession of your phone, verified by correctly entering the OTP code) makes it much more difficult for fraudsters to takeover your online accounts
So why did the volume soar during the COVID period? In a socially distanced world, many people switched over to digital services for the first time. In order to shop, bank and access government services remotely, these newbie consumers needed to prove their identity remotely. The best way to do that? Signing in with a two-factor text.
Industry data reveals the extent of this growth in business-to-consumer messaging. According to the trade body MEF, 89 percent of consumers now regularly receive texts from brands – and most receive two to 20 a week. Meanwhile industry analyst Mobilesquared says a million businesses tried mobile messaging for the first time in 2021.
Of course, businesses send texts for all sorts of reasons – marketing, customer care, alerts. But authentication is the primary use case. In fact, passcodes could represent around 20 percent of all business text traffic.
See More: Viewing Data Security Through the Lens of Human Impact
The Phone in Your Hand vs. the Password in Your Head
To understand the rapid rise of this authentication technique, you have to understand what it replaced. Ten years ago, most people logged into online accounts using a username and password. This was (and still is) a deeply flawed process. Bad actors can quite easily steal these pieces of personal information via social engineering or phishing. They can even buy databases of stolen passwords on the dark web.
Passwords don’t work well for consumers either. People are told: use a different password for every service. Make it really long and complicated. Never share it. And certainly don’t write it down.
Understandably, most ignore this advice, however sensible and well-intentioned it is. Instead, they do the opposite. They choose simple passwords, which they use across multiple accounts.
As we discussed earlier, one-time SMS passcodes offer a much more secure and user-friendly option. But not a perfect one. Over time, fraudsters have worked out how to crack the method.
The most common form of attack is smishing (SMS phishing). Here, the fraudster sends a text message that appears to be from a trusted source to trick recipients into clicking a link. The bogus link then downloads malware to the target smartphone enabling the criminal to perform a ‘man-in-the-middle’ attack (intercepting the OTP, passing the code to the criminals without the user’s knowledge). Intercepted OTPs are then used in conjunction with stolen passwords to access private accounts.
Historically the online industry has attempted to mitigate this particular problem through the education of end-users…..don’t click on that link!
Another attack method is SIM swapping. Here, the attacker pretends to be an MNO customer and uses social engineering techniques to persuade a telco call agent to send out a replacement SIM for a lost/stolen phone. He or she is then able to receive OTP texts and change security details. These attacks are highly targeted and its fair to say that MNOs have developed processes to prevent such incidents.
Mobile Authentication: New Options at Last
Needless to say, the messaging industry is working hard to combat these abuses. For example, it has developed official sender ID registries and embarked on consumer education campaigns.
For these reasons – and also because of the sheer familiarity of the method – the text OTP remains the default authentication choice of most digital service providers. But in the background the industry has been devising alternatives. And now these new options are finally gathering momentum. Let’s explore the top two.
Data verification
Every phone has its own IP address and its own public number. Data verification capitalizes on this unique combination to enable secure authentication in seconds. The process works by confirming that the phone number and the IP address are the same in any given data session.
The technique is very secure since it removes the social engineering risk associated with OTPs. Data verification also makes it almost impossible for a fraudster to perform a man-in-the-middle attack because of the speed of the authentication.
Flash calling
A flash call uses voice rather than text to authenticate a user. The enterprise (via a message provider) makes a deliberately missed call to the target user from a random number. The last four digits of the incoming number contain the passcode that the consumer uses to authenticate. In the most sophisticated use case, the receiving phone (only Android models) answers the call automatically and processes the passcode without the user’s active involvement.
Flash calling is very secure: the risk of ‘man in the middle’ interception by fraudsters is considerably reduced. But just as significant, it is cheap. Randomly generated IP calls cost little to make (especially when they are not picked up by the recipient). In fact, we estimate that flash calls can be at least 25 percent of the authentication cost. For any enterprise sending millions of SMS OTPs, this is extremely compelling.
In the End the User Experience Wins
While both of the above methods score highly on security and cost, there’s a third reason for enterprises to consider them: user experience.
It’s hard to overestimate the importance of UX. After all, the success of any authentication process, no matter how safe or affordable, ultimately depends on the willingness of consumers to use it.
The SMS OTP UX is pretty clunky. Think about it: a user has to wait for the code to appear, exit the application, open the messaging app, make a note of the digits, return to the app and then type it in. This is an issue in the online world, where attention spans are short. In fact, a 2020 study by Yubico found that 23 percent of respondents said SMS OTPs are very inconvenient, while 56 percent of those who use a smartphone or other personal device to access work-related items don’t use 2FA at all.
It’s also fair to say that while SMS is clunky, it is also well-understood. Familiarity is a comforting concept for users. It follows that getting the best possible SMS experience is essential. As well as delivering OTPs quickly, in some circumstances, the device OS automatically processes the OTP for the user without finding the message and noting the code, for example.
By contrast, flash calling and data verification each offer an improved UX. They execute in the background. In other words, they just happen without the user having to do anything.
Enterprises are finally waking up to their potential. But we don’t think this represents the end for the SMS OTP. Instead, it just widens the options.
The fact is, companies need to assess the full range of authentication techniques and choose the most appropriate method for their use case: account sign-ups, transaction approvals, logins etc. And it should be easy for them to do so. Now that communications channels have moved to the cloud, providers such as Sinch will offer a single unified API to cover all the techniques. After all, it’s not just consumers that need a good UX.
Do you think data verification and flash calling are quicker and safer options for authentication? Share with us on Facebook, Twitter, and LinkedIn.
MORE ON TWO-FACTOR AUTHENTICATION
- Top Tips to Protect Your Organization Against the Biggest Security Threats of 2022
- MFA Is Not Enough: Eliminate Passwords to Simplify the Security Stack
- The Authentication Problem: Rethinking Passwords
- The Current State of Passwordless Authentication
- What Is Two-Factor Authentication? Definition, Process, and Best Practices
