Study Highlights One-Time Password Failures

Security © m00osfoto Shutterstock 2012

Organisations ramping up one-time passwords to combat security breaches need to pay closer attention to how they implement those systems, the Ponemon study found

The vast majority (68 percent) of North American organisations agree there’s a need for more secure authentication methods over the traditional username and password method, while also reporting that they are experiencing significant problems with the one-time password (OTP) methods many are putting into place, according to a report by the Ponemon Institute and sponsored by mobile interaction service provider Tyntec.

According to the survey, 29 percent of respondents in North America cite that, on average, 11-20 percent of OTPs fail to be delivered. Of that, 48 percent on average fail because an invalid mobile number was entered by the user.

surveillance spy security NS GCHQ © Andrea Danti Shutterstock

OTP issues

“Enterprises and Internet companies know that the traditional username and password is simply not enough anymore. However, companies deploying SMS-enabled two-factor authentication need to ensure that OTPs aren’t being sent to invalid mobile numbers,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. “As a result, the research confirmed that 67 percent of global respondents said customer experience improves when SMS-based, two-factor authentication is combined with real-time verification of the receiver’s mobile number.”

The emerging verification method of choice is SMS-based 2FA due to its user-friendliness, cost effectiveness and high level of security, Ponemon found. The report found that companies implementing SMS-based 2FA use the method mainly for identity verification in user registration (43 percent), each login (38 percent) and transactions (33 percent).

As part of the authentication process, users who opt in for SMS-based 2FA are required to share their mobile number with application providers to receive a unique OTP sent through SMS to authenticate their identity. The SMS containing the OTP must be entered and authenticated to successfully complete the transaction, registration or download process.

The report noted unauthenticated OTPs translate into inactivated accounts, incomplete transactions and, ultimately, a poor customer experience.

“To service providers looking to increase security for their users, the ability to preverify mobile numbers is essential. In addition to accruing costs in messaging fees, invalid mobile numbers also result in unauthenticated One-Time Passwords, unactivated accounts and unmet expectations on behalf of both the sender and end-user,” Thorsten Trapp, co-founder and CTO of Tyntec, said in a statement.

Validity check

However, even in the face of gaping discrepancies, 29 percent of North American respondents are still unaware that SMS-based OTPs sometimes don’t get delivered, while 30 percent are aware of the issue but are unsure of the reasons why OTPs fail to reach the user.

“Companies therefore need to ensure that they strike a balance between cost and reliability from the beginning. By performing a validity check of the mobile numbers provided in real-time, companies can instantly notify users of the mistake and allow access to vital services that they’ve requested or subscribed to,” Trapp continued. “As a result, service providers can improve customer satisfaction with fewer complaints, reduced customer support costs and higher conversion rates.”

Do you know all about 4G and the mobile future? Take our quiz.

Originally published on eWeek.