The real costs and opportunities of one-time passwords
by Thorsten Trapp, Co-Founder & CTO, tyntec
New White Paper research, entitled ‘Unlocking the Mobile Security Potential: the Key to Effective Two-Factor Authentication‘, conducted by the Ponemon Institute and sponsored by tyntec, has revealed that 90 per cent of IT managers around the world are considering adopting two-factor authentication (2FA) this year. Rapidly becoming the authentication method of choice, SMS-enabled 2FA integration is on the rise because of its secure, cost-effective and user-friendly nature. Along with these benefits is the ability to use a One-Time Password (OTP), which can provide new and valuable visibility options and opportunities.
This authentication method is comprised of two-factors or ‘steps’ – the first, when a user subscribes or logs into their account via their user name and password.
The second factor occurs when the end-user receives and enters an OTP online which verifies their identification, activates their account or completes the registration or download process.
“50% on average fail due to an invalid mobile number”
However, many companies using mobile authentication – whether to secure private data or to improve customer experience, are unaware of the control or visibility opportunities that are being overlooked.
Consequently, they are often unknowingly paying the price associated with lack of complete transparency.
The consequences of invalid mobile numbers and undelivered passwords
The global research confirmed that 11-20 per cent of OTPs fail to be delivered and of that, almost 50 per cent on average fail due to an invalid mobile number.
The expense to companies, banks, app developers and internet companies deploying SMS-based 2FA occurs when OTPs are never received and confirmed by the end-user, which results in uncompleted transactions, lost conversions and customer dissatisfaction.
The study also confirmed that only 4 per cent of IT professionals checked the verification of a user’s mobile number before sending the OTP for authentication.
This means that the bulk of messages sent are unchecked, possible undelivered, yet charged to the sending organisation—resulting in wasted SMS message costs.
The unquantifiable cost lies in loss of customer loyalty and satisfaction.
Undelivered OTPs leave the end-users frustrated and often confused as to what they should do next, which might be to call to customer support, creating additional overhead costs.
When a consumer doesn’t receive their OTP within a reasonable amount of time, not only will they be unable to access their account, verify their user-identity or complete their transaction – they’ll also be questioning the integrity of the company providing the service and the level of protection that surrounds their data.
Real-time visibility & the SMS-2FA process
Companies wanting to add a layer of intelligence to SMS-based 2FA can do so in the way of real-time pre-verification of mobile numbers.
This simple step ensures a proper balance between cost and reliability: saves money, increases conversion rates, creates visibility and leaves customers with an overall better user-experience.
Accurate and efficient checks of mobile numbers are provided via a responsive report.
Senders are made aware that the validation process has failed and notification is sent to the user to resubmit their mobile number or choose an alternate verification channel.
The report also provides added status information such as “on/off” or “roaming” so that the OTP can be sent when the end-user is available or once again in-network.
Following a satisfactory check on the mobile number, the OTP will be sent, confirmed and the transaction can be concluded.
End result – service providers improve customer satisfaction with fewer complaints, reduce customer support costs and increase their conversion rates.
Another highlight regarding SMS-2FA is the delivery method in which the SMS is sent.
Although there are several ‘low-cost’ SMS deployment solutions, not all can guarantee delivery rates, assure secure transmission or offer added visibility features.
All these are important factors to bear in mind when integrating mobile security.
Companies that would like to successfully integrate SMS-based two-factor authentication should be sure that they partner with a reputable company.
One that has a strong (preferably its own) infrastructure; the ability to transmit secure SMS traffic; and can offer flexible options to provide real-time visibility checks of mobile numbers.
Serial entrepreneur, Thorsten Trapp, co-founded tyntec in 2002. His deep knowledge on the technical side of telecommunications combined with his ability to spot emerging trends and develop products and services to meet industry demand mean he is a highly regarded industry expert who is a regular feature in the global trade press. Thorsten is a hands-on CTO who is active in driving many parts of the business, including the development of new business models to support tyntec’s products and services. He is also experienced in negotiations with investors and global enterprise clients. In addition, he possesses first-hand management experience in successfully overseeing the growth and transformation of his company from a handful of employees to the global 150-person company it is today. Having played a key role in bringing enterprise-level SMS services to multinationals on a global scale, Thorsten believes that the next challenge the telecommunications industry faces is to master the convergence of telecommunications and emerging IP-based communication systems.