It’s easy to see why we have come to rely on SMS OTPs. Initially, they look like they’d get on with everyone. They are simple to use, fairly self-explanatory, and are relatively low risk from a privacy perspective. But do they suit the needs of the whole customer base?
If your SMS inboxes are anything like ours, they are full of SMS based one-time passcodes (SMS OTPs). They have become the ubiquitous authentication factor for nearly every customer journey, whether it’s verifying a password change, or paying someone new. It’s easy to see why. They are relatively easy to implement as a solution and customers are familiar with them.
But how did we get to this state of SMS OTP ubiquity, particularly when so many authoritative bodies are suggesting we look to alternatives?
The European Banking Authority has recategorized SMS OTPs as a possession rather than knowledge factor, almost negating their use for mobile banking. This was followed in the UK, by the Financial Conduct Authority recommending that financial organizations reduce their reliance on them.
What’s more, Gartner(1) predicts that through 2021, enterprises using legacy out of band (OOB) SMS and voice modes will suffer more than twice the number of authentication-related breaches than those using alternate methods. Factor in the ever-burgeoning hidden costs being associated with SMS and they begin to look more like a hot mess than the dependable partner you thought they were.
Maybe our relationship with SMS OTPs was a little hasty. They may seem to be an attractive and premium choice initially, but in the long run they’re costly, not that trustworthy and don’t necessarily offer the greatest experience.
Can SMS OTPs be trusted?
The main security concerns around SMS OTPs is that they can be intercepted. The most common method, SIM-swap fraud - where fraudsters trick network operators in to redirecting a user’s calls and messages to a new sim, is on the rise. As are more complex methods including criminal networks manipulating vulnerabilities in the SS7 Network. Manipulating the SS7 network is a complex affair, mainly reserved for larger criminal networks. Yet, with an increased volume of transactions relying on SMS authentication, the return on investment for this type of criminal activity has grown. What was once seen as an expensive fraud method, is now more than viable. And, we are only set to see these types of activities increase as organizations come to rely on single solutions.
Although they seemed trustworthy, the trouble with SMS OTPs is that our trust with them is eroding. What was thought to be a fairly secure solution, has started to show vulnerabilities. But if SMS OTPs susceptibilities are so obvious, our dependence on them must stem from the optimum user experience they offer?
Can SMS OTPs offer a positive (user) experience?
With mobile adoption increasing, so is the volume of transactions taking place on these devices. With this comes shifting customer expectations particularly as users come to expect hyper-personalized online experiences. SMS OTPs, whilst mobile first, require the user to move to an alternate channel to complete the transaction. At a minimum, this can create frustration. At worst, it can lead to users abandoning transactions as the friction they impose prevents this seamless payment experience (more than half of Americans have scrapped a planned purchase or transaction because of bad service). There are also the issues around deliverability and need for network coverage that should be considered, such as considering the segments of your customer base that don’t have extensive mobile network coverage.
Nonetheless, meeting the needs of the whole customer base is not an easy task. With fraud risk and compliance to consider alongside user experience and costs, it’s hard to strike the right balance.
The hidden costs of SMS OTPs
The trouble with point solutions like SMS OTPs is that the costs can easily start to mount. If we look beyond the budget(able) aspects of SMS OTPs such as cost per SMS, there are a number of hidden costs that are often a byproduct of the issues highlighted above. Strategically, this forces organizations into a reactive environment which is difficult to control.
Let’s start with customer experience. It’s well documented that poor user experiences and catch-all approaches, can lead to increased pressure on call centers. And these costs can start to mount, especially if the number of transactions reliant on SMS OTPs continue to increase. On top of this, there’s the abandoned transactions to consider as more and more users are pushed down customer journeys that add unnecessary friction. This leads to a decrease in interchange fees for banks and a potentially reduced customer base for merchants.
Then there’s the fraud losses to consider. As SMS OTPs become more of a target, the number of fraud cases is set to rise. This additional cost, whether reimbursing customers and/or paying fines is difficult to budget for.
But this uncontrollable state doesn’t need to be the status-quo. With the right level of visibility and control over authentication and authorization journeys, organizations can meet the needs of the entire customer base, without having to risk increases in fraud or cost.
Greater visibility over your fraud and authentication landscape
This article isn’t intended to denounce SMS OTPs. We could easily have swapped SMS OTPs with other authentication mechanisms. It’s about the issues around relying on single solutions. In the age of hyper-personalized customer journeys, those who come out top will be meeting the individual needs of the entire customer base. However, single point solutions offer little flexibility to do so. In order to move away, organizations need greater visibility of their fraud and authentication landscape.
Our holistic solution puts organizations back in control of their fraud and authentication landscape. We give you greater intelligence around who the customer is, and the flexibility to amend customer journeys in real-time. Which allows organizations to move to a more pro-active approach that offers more control over where their budget goes and to less reliance on single solutions.
This not only helps improve security (solutions that use active and passive authentication have fewer weak spots). It’ll help to improve customer experience and NPS scores as customers have the choice and control over their authentication journeys. Which, for some, might mean SMS OTPs (just not for all).
So, maybe it’s time to take a break from SMS OTPs, but it doesn’t mean you can’t remain friends.
 Gartner: Technology Insight for Phone-as-a-Token Authentication, by Ant Allen on 29 April 2019