One of the silver linings of the Heartbleed hoopla was that it brought much needed attention to the vulnerability of online security and made a rising star out of the solutions that help combat security breaches, specifically two-factor authentication (2FA). Companies and consumers alike are no longer confident in the traditional login/password approach as their primary security method – according to 68% of IT security professionals surveyed in North America. As 2FA increasingly becomes the verification method of choice for security conscious organizations, many are even considering making it mandatory. Despite the increased interest in intensified security, end-users and organizations are at crossroads when it comes to the deployment of 2FA.
Breaking it Down—How 2FA Works
When users opt-in for 2FA, following the usual user name and password login, a second password is required to verify the identity of the entity accessing the account. Second password, second layer, two-factor; they all refer to this act of having a second step for authentication. Once the second password is successfully entered, the account is accessed and life moves on.
The key differentiator is in how the second password or One-Time Password (OTP) comes into existence. OTPs could arrive on pre-printed on sheets of paper, generated through portable token devices or be instantly delivered via SMS. From a security perspective, OTPs have the added benefit in that they can be set to expire after a certain period of time and can’t be used again. Many companies are opting to integrate SMS-based 2FA to deliver these passwords because it’s convenient, familiar, low-cost for the sender to employ and above all it’s secure.
A recent Ponemon report found that companies implementing SMS-based 2FA use the method mainly for identify verification in user registration (43%), each login (38%) and transactions (33%).
Are Consumers Unduly Cautious About Sharing Their Mobile Number?
A recent survey conducted by YouGov found that the vast majority of end-users around the world are first, unaware of what two-factor authentication is and second, reluctant to share their mobile number with online application providers. The “why are they reluctant?” is answered simply because the information is shared online and it’s that private information that is the desirable object for hackers.
When asked, only 11% of US survey respondents claimed to be willing to share their mobile number with online application providers to add an additional security feature on their individual social media accounts.
The Human Factor: Invalid Mobile Numbers
On the flip side, already security conscious organizations are facing challenges when it comes to successful deployment of SMS-based 2FA. What they’re finding is that end-users often enter incorrect mobile numbers when opting in for 2FA, resulting in incomplete authentication or transaction.
The same Ponemon survey found that a majority of North American organizations cite that:
– 11-20% of verification codes or OTPs sent via SMS fail to be delivered to the end-user’s mobile device.
– Of that, 48% fail because an invalid mobile number was entered by the end-user.
There is a cost associated with sending all these un-delivered SMS messages beyond the actual price of sending each SMS, which is that of unfulfilled customer experience.
– 29% of North American respondents companies using two-factor authentication are still unaware that verification codes sometimes don’t get delivered.
– 30% are aware of the issue but are unsure of the reasons why they fail or how to fix it.
Compromise that Suits Everyone
So it seems to be a catch 22 situation; to increase security you have to release a little private information about yourself. Companies using 2FA are getting smarter and more transparent about how they approach consumers about security and why their mobile number is a critical ingredient to securing their data. Conversely, consumers are getting more education on security because of media attention to topics like Heartbleed and how using a trusted method like 2FA from reliable source can actually increase their overall security and protect data privacy.
What everyone can agree on is that it’s time to get serious about data security and it needs to happen quickly. Business leaders can’t ignore the need for cybersecurity—and consumers increasingly demand more security online. Enterprises need to arm themselves with secure systems that are intuitive and user-friendly for end-users, while considering the benefits of transparency, cost and reliability.
One clear way to create efficiency and accuracy is by performing validity checks of the mobile numbers, in real-time, so companies can instantly notify users if they’ve entered inaccurate mobile numbers. It saves a wasted SMS from being sent and helps consumers successfully complete the authentication process.
– 68% of North American IT professionals claimed they’d be interested in learning whether a mobile number is valid in real-time to strengthen security measures and reduce the amount of failed verification codes.
– 72% felt that enhanced mobile authentication features like mobile number verification would improve the overall customer experience.
– Right now, only 6% of North American respondents do so and report improved customer satisfaction, reduced customer support costs and higher conversion rates.
There’s no question 2014 will be another active year for cybercriminals, but the more education on online security and its solutions, the more prepared we’ll be to deal with attacks and protect privacy and private information.
Thorsten Trapp is the Co-Founder and CTO of tyntec. He is a highly regarded mobile industry expert with over 20 years’ experience in the space.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.