SMS-based two-factor authentication (2FA) is rapidly becoming the "go-to" identification method for maintaining privacy, sensitive or high-value transactions, with Google, Facebook and Twitter all using the method to secure their services and data.
By sending users a one-time password (OTP) via SMS to a registered mobile number as part of a login process, enterprises, app developers and Internet businesses can easily integrate an additional layer of security above and beyond the basic and easily attackable single sign-on of username and password.
However, this increasing popularity is driving additional, hidden costs. Although two-factor authentication is cheap to integrate and operate, there can be the hidden costs associated with a number of unsatisfied customers who never actually receive their OTP to authenticate, convert or complete their transaction. Industry sources suggest that as many as 13 per cent of OTPs sent as part of a 2FA-secured transaction might never be received. The reasons for this are various but might include technical issues, user-error and wrongly entered mobile numbers.
This relatively high level of message failure can have three major effects on service providers:
The most straightforward impact is cost. Depending on the reason for failure, an undelivered OTP could still be charged to the sending organisation; effectively implying that a far greater number of OTPs are sent, never to be activated, resulting in wasted 2FA message costs.
A harder to measure, but fundamental, cost will be in terms of damage to consumer confidence should a failed send incur. If a consumer doesn't receive a promised 2FA message within a reasonable amount of time, they will not only be unable to access their account, verify their user-identity or complete their transaction, but also be left wondering as to the integrity of the security systems and ability to protect their private data. Naturally, this will erode trust and gradually make an - often irreversible - impact on user-adoption and brand reputation.
The costs of a failed 2FA interaction don't stop at wasted message spend. A customer who is unable to access a service will be likely to contact their service provider for customer support, creating additional contact centre costs for what should have been a straightforward transaction. If there is no customer support necessary, the result is the same in that the conversion or completion never takes place, which is a loss to the customer but also to the business dependent on public adoption of services.
Whilst these threefold costs might seem relatively slight, when taken in aggregate across the exorbitant amount of failed 2FA messages, they quickly add up to a significant figure. There are a few simple things that service providers can do to minimise failure rates:
One of the most common causes of send failure is simply incorrect mobile numbers, either through user-error at the data input stage or because a user's number has changed. Simple consumer awareness highlighting the reasoning behind mobile authentication in the first place, the importance of entering the correct number and keeping numbers up to date, should drastically reduce this sort of basic problem. Similarly, making it clear to users that, as part of a transaction, they should be expecting an OTP message or failing that, they will receive a message stating that their number is invalid and give them opportunity to correct it and once again await an OTP to authenticate or verify their user identity.
In situations where the failed send isn't a result of incorrect or out-of-date contact details, technical error can often be to blame. Purchasers of SMS have a range of quality options that they can choose from: cheaper solutions can result in much less effective delivery rates than the high-quality options. Senders of 2FA messages need to look at the holistic costs of failed sends and then make a judgement on their preferred quality level and desired delivery, rather than just selecting the lowest price.
Some providers offer the ability to run what's known as a 'number lookup' on SMS transmissions before a message is sent. This essentially queries the receiving number to ensure that it is valid before committing to a message transmission. This approach can benefit the sender in saved costs over the long term – firstly by preventing failed message sends and secondly by protecting consumer confidence. This can be done in real-time, so as to not further add to the delay of an unsatisfactory customer experience, and readily create solutions to a situation where a number appears to be invalid. In this case, the customer can be informed so they can attempt to resolve the problem by re-entering their details or seeking alternative ID verification.
The validity of two-factor authentication as a method is not in question – it can offer a cost-effective, robust and easy-to-use identification method. A single growing issue is that, with its increasing popularity, greater scrutiny will inevitably be placed on the cost/benefit calculation. By ensuring that the balance between cost and reliability is optimised from the beginning, service providers can ensure that they're getting the most – in terms of cost, conversion rates and customer experience – out of the 2FA SMS-based security method.
Thorsten Trapp is the CTO and co-founder of tyntec.