Silent Authentication+ versus SMS One-time-passcodes

When customers interact with a service provider, authenticating their identity is often the first thing they have to do. It’s critical that service providers know that their customers are who they say they are, especially when personal information is being handled and payments are being processed.

However, traditional 2-factor and multi-factor authentication methods provide a vector of infiltration for bad actors, potentially exposing personal information and compromising the safety and security of user data and service provider platforms.

That’s why at JT we’ve partnered with fraud specialists Honey Badger to create a unique authentication platform called Silent Authentication+. Read on to find out how this innovative new solution solves the security and usability problems experienced by existing authentication processes.

What is 2-factor and Multi-factor authentication?

2-factor authentication (2FA) and multi-factor authentication (MFA) systems were put in place to increase the security of online interactions between customers and service providers, particularly where payment processing was concerned.

In essence, these types of authentication add additional layers of security and attempt to prevent security breaches through cyberattacks. They also function as a means of verifying that the user attempting to access a service is who they claim to be.

The most widely used approaches taken to achieve these higher levels of security is through using one-time-passwords (OTPs) sent via SMS, or email verification or ‘magic’ links via email. The process usually looks something like this:

• Customers sign up for a service and create an account.
• They provide their personal details and create a password.
• They are then prompted to provide an email address or phone number - or sometimes both - for authentication. 
• An OTP, PIN, or verification link is sent to the provided email address or phone number that customers must then copy and paste into the platform they are trying to access.
• Once this is done, the customer is granted access.
• This may only happen when a customer initially signs up or may be implemented every time the customer accesses the service.

This system may seem secure on paper, but in reality, there’s a plethora of issues that can arise by the use of these methods, particularly SMS OTPs.

The Security Problem - Anything that can be copied, pasted and shared is fundamentally insecure

While SMS OTPs and email authentication links have become largely favoured as authentication methods due to the ubiquity of SMS and email among consumers, they’ve become increasingly insecure and the source of huge volumes of fraud and financial loss. 

Lack of encryption - SMS was designed for machine-to-machine communications and lacks the encryption extended to person-to-person communications. This has meant that one-time-passcodes sent across SMS have attracted the attention of hackers that employ rogue botnets to intercept messages in man-in-the-middle attacks.

SIM swap attacks - are when bad actors fraudulently gain access to a victims mobile number and are then able to intercept one-time-passcodes used to access their online accounts. These attacks have become increasingly problematic for banks, learn more here.

Coercive fraud - Fraudsters have become increasingly adept at coercing victims into giving up their SMS OTPs by convincing them they’re calling from the service provider who has sent the message, leading to them rapidly being locked out of accounts and defrauded.

Smishing attacks - or SMS phishing is when victims are targeted with fraudulent SMS messages that appear to be from legitimate sources, such as their bank. The fake messages usually ask victims to verify their account information or enter a code they’ve supplied at a specific link. Unbeknown to the recipient the link goes to a fraudulent copy of the real website where fraudsters can harvest the victim's personal information including passwords and genuine OTPs.  

Similarly email accounts have come under an increasing number of attacks making them less than secure for authentication purposes. Social engineering, brute force attacks to crack passwords and phishing all lead to making email authentication links vulnerable to seizure and exploitation by bad actors.

The User Experience Problem - No one appreciates added friction

As service providers search for their competitive advantage, user experience becomes all important. Any unnecessary friction in the form of additional steps in customer journeys creates the potential for customer dissatisfaction and abandonment. 

Authentication via SMS OTPs and email verification links can take up to 40 seconds, and not only create a great deal of friction in the customer journey, but also the potential for service providers to incur added SMS delivery costs from repeated OTP requests and added customer support costs.

Given that the authentication process is often the first interaction a customer will have with your business, it is crucial to make this process as seamless and quick as possible. 

This brings us to the final shortcoming of SMS OTP authentication, which lies in the cost of deployment and upkeep. Putting SMS OTP and similar systems in place is both expensive at the outset and often requires a minimum monthly commitment. While copying and pasting a simple code may seem easy, support tickets filed by customers are often frustratingly high leading to extra costs. Added costs can come from repeated OTP requests by genuine customers, and if you’re unlucky from fraudsters spamming OTP request forms.   

Finally, PSD2 & EMV® 3-D Secure compliance in the EEA and UK require Strong Customer Authentication (SCA) for any kind of electronic payments. SMS simply does not allow for several mandatory features that are required for PSD2 compliance and does not comply with EMV® 3-D Secure as the only compliant SCA element.

The solution

Reading the above, it might seem that customer authentication is an irreparably broken system that needs a complete overhaul. But we’re here to tell you there’s a better way and it’s already been in use for years!

Whenever you use your mobile phone, your network provider needs to authenticate your device. This is done using a secret cryptographic authentication key (Ki) embedded in your phone’s SIM card or eSIM. This authentication key processes a random number sent by your mobile provider’s authentication centre and if it matches the result on the network’s end, your device is authenticated.

This happens without us even realising and is far more secure than SMS OTPs since it does not require the user to copy and paste any links or codes. Plus, your authentication key is known only by your SIM and the authentication centre, not by the user, so it cannot be exploited by social engineering attacks.

This technology was previously only available for use by mobile networks. Today our Silent Authentication+ solution leverages this technology, using it across a broader set of use cases from onboarding new customers, user logins, payments, live chat and much more, where all customers need to authenticate their identity is their mobile phone number.

Without the need for OTPs, PINs, passwords, or user input, data can’t be phished for, intercepted, rerouted, or gained through coercion leading to much safer prospects for customers and businesses. Additionally, near instant authentication makes for frictionless customer experiences. Find out more about Silent Authentication.