Callsign's Chris Stephens, Head of Banking Solutions, explains how you can reduce reliance on SMS OTP with the use of passive behavioral authentication:
If we look at SMS OTPs, there’s the obvious transparent costs of actually delivering an SMS to your users. But what are some of the hidden costs?
Firstly, SMS OTPs can be intercepted in a number of ways. We have sim-swap attacks, vulnerabilities in the SS7 network and there’s malware that sits on your phone and forwards messages to other users. This results in both direct fraud losses and customer complaints. Secondly things do go wrong with SMS, e.g. the SMS not actually being delivered to the end users. This can be down to network load or simply the customer not having any signal.
In this scenario there is often no other alternative to complete the transaction which is problematic from a compliance perspective. This has a number of down-stream impacts as the user abandons what they are trying to do. This is bad for merchants because no goods are purchased and bad for issuing banks because no interchange fees are given. It also leads to increased call center volumes and their associated costs.
So, what else can be done?
Inherence-based authentication is an excellent alternative to SMS OTPs. Everyone knows about biometric based approaches like facial recognition. But these impact the user experience and have privacy challenges.
Keystroke dynamics and mobile swipe analysis are great alternatives, as called out by the EBA as compliant inherent factors. These are performed passively without the user facing any additional friction in their journey, speeding up transaction times and reducing abandonment rates.
If we look at a real-world example, a lot of organizations are adding SMS OTPs to their log-in process to achieve strong customer authentication. Callsign removes the need for this approach by adding keystroke analysis on top of how the user enters their username and password - achieving SCA without the need for SMS.
Mobile push-based authentication is another user-friendly option. Like SMS OTP it counts as a possession factor but is much more secure.
If there is no other option but to use SMS, real-time sim-swap timestamp information should be used. This provides more confidence that the genuine user has actually received that OTP.
To manage all these different journeys organizations should look to deploy a real-time decisioning module. This gives them more control over their user experience and ensures SCA compliance for every type of customer. It provides operational agility to adapt when new threats are identified and takes away the black-box nature of existing e-commerce solutions.
