SMS-based two-factor authentication (2FA) is an essential component of online security today. Secure access to our accounts does more than just prevent fraud—2FA creates a circle of trust around and within a service, offering a competitive advantage for companies that offer it and make it easy for customers to use.
When consumers see companies offering 2FA for enhanced security, it serves as a proxy for dedication to overall security. Consumers know that security breaches are unpredictable—and sometimes they are out of a company’s control—but companies that implement 2FA signal to consumers that they take security seriously. This is increasingly important as we trust more of our digital lives to online services.
The internet has revolutionized business transactions, how consumers access brands, and how companies connect with their customers. Now technology is helping us be more secure doing all of those things.
Consumers See 2FA As Proof Of Strong Security
In April 2016, Sony’s PlayStation network announced that it will soon offer 2FA for users. Unfortunately, that move came too late to help prevent the 2011 hack that exposed the personal information of 77 million users.
Amazon engineer, Josh Davis, helps consumers see which companies support 2FA security initiatives with his site Two Factor Auth List. The site lists hundreds of services—from investment firms to coffee shops—showing which have implemented 2FA and which haven’t. For companies that haven’t, a button lets consumers tweet the company with a preset message encouraging them to start offering 2FA on their service.
2FA Drives Consumer Confidence in Online Brands
The internet made one-to-one transactions via marketplaces like eBay and Etsy possible. But there was a hitch. The simple system of usernames and passwords that allowed ecommerce to flourish, has never been very secure. This single factor of authentication (a password) is easy for users, but makes the system vulnerable to a wide variety of cyberattacks. This is where 2FA comes in by adding an additional layer of security to accounts. Two-factor authentication is a simple fix to an age-old problem.
ATMs have used two-factor authentication for decades. You take something you have (the card) and combine it with a secret (your PIN) to unlock your account. Without the PIN, the card can’t access your account (and your PIN alone can’t unlock your account either). Online we combine your username and password with one extra step, a one-time password (OTP) that proves who you are.
The easiest way for 2FA to work is through SMS. When you want to sign in into something like LinkedIn or Gmail, you’ll need to provide two pieces of information—your password and the PIN code sent via SMS to your trusted device. By entering the code, you’re verifying that you’re the user of the account. Because your password alone is no longer enough to access your account, two-factor authentication significantly improves the security of your account and the personal information you store in your account.
Having stronger security measures for ecommerce sites increase consumers’ trust. Consumers are more likely to trust other consumers on sites like eBay or PayPal knowing that everyone on the system must pass through the same tight security as they did. Building a large circle of trust within the community—especially with services like eBay and Etsy—is essential to these services’ long-term success.
While eBay only offers 2FA to some customers, PayPal offers 2FA to all users (and has since 2008) and lets you link your PayPal 2FA to your eBay account for purchases. Etsy offers its customers SMS-based 2FA. If the user signs in from a different browser than usual, they must enter a code sent via text message to complete the sign-in. Etsy also requires users who select 2FA to submit a verification code every 30 days.
For 2FA to work, it has to get to the user
The goal of 2FA is to secure personal information while still providing a smooth user experience. Imagine your customer who has activate 2FA on your service and is waiting to receive a one-time password before completing a banking transaction—but the PIN never arrives. The customer isn’t going to be happy if the transaction cannot be completed. PIN code deliverability is key for 2FA security to work. It won’t take many OTP failures for people to turn off 2FA altogether, defeating the purpose of having it in the first place.
The question is what is a reliable way to deliver an one time password to users. The answer is SMS. Text messaging delivery rates average 90%+ in North America and most of Europe, and only slightly lower in the rest of the world. Nearly every mobile phone user can receive an SMS, even in areas where mobile data plans are prohibitively expensive.
One-time passwords can be configured to expire after a certain time, making them useless if they are somehow intercepted. Two-factor authentication solutions from providers like Infobip offer an option for an IVR (interactive voice response) OTP delivery, if the SMS OTP isn’t getting through to a customer.
The alternative to SMS is using a mobile app (allow on someone’s phone). The challenge is that verification over mobile apps relies on too many things going right. The user has to download and activate the app. Then the app has to be connected to each service one by one. If the customer gets a new phone or restores the phone from backup, then the connection between the 2FA app and all the services is lost and must be restored manually.
Platform and version incompatibility can cause the apps to fail; whereas SMS is already available on the vast majority of phones. Email is also vulnerable—it's common knowledge to avoid sending sensitive personal and financial data in an email.
Even postal mail compares poorly to SMS for sending PINs. The production and mailing costs of sending a letter are far higher than sending a text. Letters with sensitive financial information can be intercepted and used to commit identity theft. Many financial institutions are exploring using SMS-based PIN delivery for bank and credit cards. Beyond pure cost savings (printing and postage) expediting the delivery of credit card PIN codes to your customers means they can start spending money faster.
Make life easier with two-factor authentication over SMS: Smart, practical, and secure
There is a new site hack or breach every week it seems. In almost every case, the damage done could have been mitigated if users were using 2FA to secure their accounts. While a year ago, many consumers were confused by 2FA, times are changing. Stronger authentication and security is a must-have for business critical services. The only question that remains is how to deliver the one-time passwords required for 2FA. From apps to physical devices, there are a number of ways to send an OTP, while only SMS provides near universal coverage and compatibility.