IT Pros Want More Secure Authentication: Ponemon

The report noted unauthenticated OTPs translate into inactivated accounts, incomplete transactions and, ultimately, a poor customer experience.

The vast majority (68 percent) of North American organizations agree there’s a need for more secure authentication methods over the traditional username and password method, according to a report by the Ponemon Institute and sponsored by mobile interaction service provider Tyntec.

As online security breaches become more prevalent and disruptive, the emerging verification method of choice is SMS-based 2FA due to its user-friendliness, cost effectiveness and high level of security.

The Ponemon report found that companies implementing SMS-based 2FA use the method mainly for identity verification in user registration (43 percent), each login (38 percent) and transactions (33 percent).

According to the survey, 29 percent of respondents in North America cite that, on average, 11-20 percent of one-time passwords (OTPs) fail to be delivered. Of that, 48 percent on average fail because an invalid mobile number was entered by the user.

"Enterprises and Internet companies know that the traditional username and password is simply not enough anymore. However, companies deploying SMS-enabled two-factor authentication need to ensure that OTPs aren’t being sent to invalid mobile numbers," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. "As a result, the research confirmed that 67 percent of global respondents said customer experience improves when SMS-based, two-factor authentication is combined with real-time verification of the receiver’s mobile number."

As part of the authentication process, users who opt in for SMS-based 2FA are required to share their mobile number with application providers to receive a unique, OTP sent through SMS to authenticate their identity.

The SMS containing the OTP must be entered and authenticated to successfully complete the transaction, registration or download process.

The report noted unauthenticated OTPs translate into inactivated accounts, incomplete transactions and, ultimately, a poor customer experience.

"To service providers looking to increase security for their users, the ability to preverify mobile numbers is essential. In addition to accruing costs in messaging fees, invalid mobile numbers also result in unauthenticated One-Time Passwords, unactivated accounts and unmet expectations on behalf of both the sender and end-user," Thorsten Trapp, co-founder and CTO of Tyntec, said in a statement.

However, even in the face of gaping discrepancies, 29 percent of North American respondents are still unaware that SMS-based OTPs sometimes don’t get delivered, while 30 percent are aware of the issue but are unsure of the reasons why OTPs fail to reach the user.

"Companies therefore need to ensure that they strike a balance between cost and reliability from the beginning. By performing a validity check of the mobile numbers provided in real-time, companies can instantly notify users of the mistake and allow access to vital services that they’ve requested or subscribed to," Trapp continued. "As a result, service providers can improve customer satisfaction with fewer complaints, reduced customer support costs and higher conversion rates."