The global pandemic has accelerated digital transformation. Decades-long technology roadmaps have been compressed into weeks as companies, brands and organizations have had to rapidly adjust to working at-a-distance from their customers, patients and staff. Shops have moved online, banks conduct routine functions via chatbots and healthcare organizations manage appointments via text at a huge scale.
Consumers have also adapted quickly, necessarily opting for minimal contact with the businesses that they were once habituated to interacting with. It’s also becoming apparent that many of the changes in behavior are here to stay. Consumer research from Sinch, found that fifty-eight percent say they’ll continue to avoid crowds, 52 percent will avoid travel, and 46 percent will spend less time inside shops.
One consequence of this digital shift is the need to authenticate ever-increasing numbers of people as securely, and importantly with as little disruption to the user experience, as possible. Well-known apps like Amazon, Apple, Google, Facebook, Instagram and Twitter all routinely use and need authentication as a baseline for security.
Ten years ago, logging in to an online account or service was down to using a username and password to gain access. However, it’s well documented that we can ill afford to rely on this method alone. Bad actors have become adept at gaining access to these pieces of personal information via social engineering and phishing techniques, while numerous databases containing stolen passwords are available for sale to those who know where to look.
Passwords are also a memory test. A fair estimate on the number of passwords that a user has to retain is between 80-100. It’s no wonder that easy to remember (and easy to hack) passwords are popular as is the practice of password duplication (one key for all accounts).
The goto method for securing access is of course two-factor authentication (2FA). There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or smartphone), and something you are (such as your fingerprint).
Two-factor means using two of these options - most commonly the user receives a number code via a simple text message, or as text-to-speech (necessary to support accessibility issues like age, visual impairment or non-ownership of a mobile device).
New authentication techniques are now becoming available, typically through an API enabled by communications as a platform (CPaaS). Two alternatives in particular have come to the fore.
1. Data verification
Data Verification works on the interplay between the IP address that the mobile network operator assigns to a user’s telephone number when they are using mobile data. The verification works by confirming that the telephone number associated with the identity of the end-user that is trying to perform a verification, is identical to the number associated with that session.
The service is very fast (sub-two seconds) very secure since it’s impossible to intercept via a ‘man in the middle attack’ or via social engineering since it's not reliant on any piece of information that the user has had to memorize at some point.
2. Flash call verification
A voice call is initiated from a randomly chosen number and sent to the end-user. An android phone answers the call automatically and uses the calling party number as the authentication instead of a one-time password code that would normally be sent via SMS.
Similarly to Data Verification, Flash Calls are faster, more secure and cheaper than SMS since the connection is just acknowledged by the Mobile Network Operator as an unanswered call. In fact, we estimate that Flash Calls (with SMS as a fallback) can save up to 25 percent of the authentication cost and can be delivered up to 70 percent faster. That’s important when you consider how some large enterprises use millions of SMS OTPs as their, often only, channel for verifying customers.
User experience wins
As organizations are increasingly doing business with their customers online and employees get habituated to working with cloud-enabled tools, the user experience is becoming a top priority. Most security-savvy companies understand that enabling two-factor authentication is one of the best ways to protect accounts online. In fact, in May 2019 Google reported that enabling multi-factor authentication can block up to 100 percent of automated attacks, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks.
But there’s a problem. UX designers generally argue that the protection that 2FA provides, albeit necessary, comes at a cost to the user experience. It interrupts the user’s flow. Even a simple process, like entering a one-time password, requires the user to wait for the SMS to arrive, change apps, copy a code, and go back to the original app and paste in the code before returning to their original intent.
While mobile operating systems are making it easier to enter a one time password with less context switching, it still represents a disruption, and in the online world, where a consumer’s attention can last for a fraction of a second, it’s vital that friction is kept to a minimum.
Furthermore, although it’s basic hygiene, 2FA, unless mandatory, isn’t always welcomed by consumers. There’s evidence that this is the case. A 2020 study from Yubico found that 23 percent of respondents found SMS one-time passwords to be very inconvenient while 56 percent who use a smartphone or other personal device to access work-related items, don’t use 2FA.
This brings me perhaps to the most important point about both Flash Calls and Data Verification authentication techniques. They both happen in the background without any need for the user to intervene. So, as well as being secure and significantly cheaper, they are also seamless - they just happen!
In the near future just like with so many other as-a-service- platforms, we are likely to see single unified APIs being offered that deliver authentication that is able to determine the most appropriate method based on consumer expectations of a slick user experience, the service characteristics - account sign-ups, transaction approvals and logins and also the business goals of any given company, for example, increasing conversions or reducing costs. In that scenario, not only will the end-user not have to care how their authentication is happening but CFOs, CSOs and heads of UX will have the security versus user experience debate well and truly put to bed.
Lee Suker, Head of Authentication, Sinch