By Tobias Manolo
If you’re not aware, SMS-based 2FA (two-factor authentication) is used by Facebook, Google and Twitter as a way of securing their data and services. In fact, this method of authentication is fast becoming ‘the’ method to use when maintaining high value, sensitive and private transactions. Internet businesses, enterprises and app developers now send users an OTP (one-time password) via an SMS message to a registered mobile number as part of their login process; from there, they are able to integrate an extra layer of security that goes beyond the basic single sign-on format of username and password, and therefore make it safer.
The problem is that there with this rise in popularity in using this method, there comes the ‘noose around the neck’ of further hidden costs. Yes, 2FA is cost-effective to integrate and use, but it’s the number of unsatisfied customers who never receive their OTP to continue their authentication process in order to complete their transaction that is pushing up these extra costs. It has been suggested by industry sources that around 13% of OTPs that are sent as part of a 2FA-secured transaction may not even be received; a variety of reasons could be the cause of this, i.e. user-error, technical issues or mobile numbers that have been entered incorrectly. But this doesn’t change the fact that message failures at this high level will affect service providers in three main ways:
1. Cost – even if the OTP message fails, the organisation sending the message could still be charged; and that implies that many of the OTPs sent, more than is probably actually known, are never activated and leads to wasted costs.
2. Support – the wasted costs don’t stop at the message failure stage; if customers can’t complete their transactions, can’t access a service, more often than not they will contact their service provider’s customer support team – that costs money, too. And if there is no customer support team and no completed transaction or service conversion, then the customer is likely to take their business elsewhere – and that costs money, too… to the business dependent on the 2FA authentication!
3. Consumer trust – the third resulting cost is a break in the consumer’s trust due to the OTP message failure, although the level of cost involved is much harder to measure. If a consumer doesn’t receive the 2FA message they’ve been promised, within the time frame specified (or at least a reasonable time frame), not only will they not be able to verify their identity and complete their transaction or access their account, they will also start to question the organisation’s security process, the organisation’s ability to keep their data private and secure, and wonder if the business itself is worth their support! The resulting impact on user-adoption and reputation costs money, too!
We might be talking small amounts but they add up over a period of time. So, what can be done to reduce the failure rate? Well, probably the most common cause is mobile numbers that are incorrect, either from errors by the user in entering the number or because the number has changed. By highlighting the importance of entering the mobile number correctly, keeping numbers up-to-date and by building awareness as to why the mobile number needs to be authenticated will greatly reduce the problem. In addition, educate users as to why this process is part of their transaction – explain that should expect to receive an OTP message and to look out for it, and by advising them if the number they entered is invalid and allowing them to re-enter and then await a further OTP message to verify their identity – all these steps will help to reduce the failure of OTP messages.
Some providers are able to offer an additional service known as ‘number lookup on SMS transmissions prior to a message being sent. This service will query the receiving mobile number and make sure it is valid before it commits to sending the message. Long term, this will result in cost savings for two reasons; one, it will lower the failed message rate as messages won’t be sent to invalid numbers, and two, the consumer’s trust in the organisation and the process will be protected. The service can be operated in a real-time environment so there is little delay, and can be set up to create a solution should a number be invalid, i.e. the consumer can be notified that the number is invalid and they have an opportunity to resolve the problem, such as re-entering the mobile number or find an alternative ID verification.
If the problem isn’t due to the mobile number being incorrect or out-of-date, then message failures could be down to a technical issue. SMS users have a number of quality options to choose from; choosing a cheaper option may result in delivery rates being less effective. Organisations that use and send 2FA messages need to consider the holistic costs of failed messages and ascertain whether there is a preferred quality level in order to ensure a better delivery rate – it’s not always down to the lowest price.
The fact that 2FA is a valid method of authentication isn’t in doubt; it is a cost-effective, easy-to-use and understand way of validating an identity. As its use continues to rise and grow in popularity, what does start to become a concern is the balance between benefit and cost, and it’s this that providers need to continue to ensure remains optimised.