Ivan Maksic, regional manager UK at Infobip, looks at the background to the widespread adoption of 2-factor authentication via mobile SMS.
Online services and internet companies have changed the paradigm of purchases and service consumption in the last 15 years. With the emergence of email, news portals, social and travel networks, eCommerce sites and mobile apps, many aspects of people’s daily lives have been transferred online.
The likes of Google, Amazon, Facebook and others opened up a new world in which a range of activities are easily done remotely, and opportunities for entertainment, learning, shopping, dating and banking are accessible at all times, from any location, as long as there’s an internet connection. This trend is accelerating, and the gains in terms of availability and convenience for consumers have been tremendous. The landscape has changed for companies as well.
For the first time in history, the so-called billion user opportunity presented itself for businesses to pursue, without depending on massive distribution and logistics. Online companies could aspire to serve people beyond the region, country, physical operations or distribution borders that placed limitations on traditional businesses. Anyone in the world is now a potential user, as long as they’re online. The shift also brought about a new set of security concerns, virtually unknown in the pre-internet era. A new space opened up for abuse, fuelled by the growing number of online profiles and accounts maintained by consumers. These profiles keep large amounts of information on users, something the old paradigm of service consumption had little problem with.
One-factor problem: password laziness
The amount and scope of user information held in online profiles is stunning. It goes far beyond basic profile details, and includes activity and purchase history, personal documents like photos and videos, home address, travel details and dating preferences, to name just a few. Family status and purchase power can be inferred, and future behaviour predicted on the basis of information kept in online profiles. All this data is sometimes protected by only one authentication factor, usually a combination of a username and a password. Increasingly, this is seen as insufficient, and additional verification mechanisms and layers are being examined. For good reason, too. Around 55 per cent of internet users are estimated to have the same password for most of their online profiles and accounts. Some sources cite around 60 per cent of UK consumers saying they only used passwords they could remember.
It’s not unreasonable to assume some of those passwords are weak, and likely to be used for more than one service. On top of that, almost 30 per cent of consumers admitted they knew passwords belonging to a friend, relative, partner or colleague. High-profile security breaches in 2014 and 2015 also cast doubt on the adequacy of passwords alone as viable authentication mechanisms. In the infamous Dropbox scare, hackers stole around 7m login details from other services, and tried to use them on Dropbox, counting on password reuse. In November 2015, toymaker VTech saw millions of parents’ accounts accessed, and 6.4m children’s profiles compromised.
One of the reasons was poor password security. In 2015, A clever teenager gained control of CIA director John Brennan’s account and accessed sensitive information Mr Brennan had in his email attachments. The iCloud hack of August 2014 saw celebrities’ pictures stolen, with actress Jennifer Lawrence among those hurt in a serious privacy violation. When investigated, it revealed a security issue in the iCloud API that allowed hackers to make unlimited attempts at guessing passwords.
Second factor – mobile phone solves it all?
Every day, Infobip sends more than 30m authentication messages on behalf of online companies and services in 190 countries around the world. As a concept, 2-factor authentication (2FA) is hardly a novelty. It relies on something that a user knows, and something a user has, to establish their identity. ATM transactions are a well-known example of a 2FA system at work. When an ATM withdrawal is attempted, the system checks if the PIN code provided matches the card inserted. Withdrawal is allowed only if both factors are presented: something the person has (card) and something they know (PIN).
Early on, internet services started with username and password combination as the only authentication mechanism. They tried to achieve extra security by asking consumers to use strong passwords, and change passwords from time to time. Yet, with the proliferation of online accounts, users are mostly unwilling to memorise different passwords for all the accounts they keep. As a result, risks associated with password reuse are multiplying: a stolen set of usernames and passwords from one provider can potentially be used to breach other, unrelated accounts.
Online services have a particular set of challenges when introducing 2-factor authentication, implementation being the most important one. An acceptable solution should be easy to integrate, manage and scale, even for hundreds of millions or a billion users. Clearly, distributing extra hardware, chips or tokens to deliver the second factor is virtually impossible from the integration, maintenance and customer support perspective. It’s also not adequate from the user experience standpoint, ease of use being a fundamental requirement for online services that seek global adoption. In light of that, the demand for the second factor to be smooth to introduce and easy to use by people around the world is far from unreasonable.
Connectivity to telecoms globally
The new paradigm required new thinking, and new solutions. Google and Facebook were among the first to build the second factor around the mobile phone – a device that a large number of users around the world already had. Not only had, but kept nearby at all times. Delivering the one time PIN (OTP) in an SMS message, or via a voice service, and asking users to enter this OTP when logging in to a service was simple enough in terms of usability and acceptance.
Technically, OTP delivery to users’ mobile phones was relatively easy to establish through API integrations with A2P SMS or voice platforms, which also provided integration and tech support. Yet, smooth integration could not be the only requirement. Facing the challenge of having to authenticate users all around the world, online services are even more interested in authentication service reach – i.e. the capacity to deliver one-time PINs to any mobile phone in the world – and within a reasonable timeframe.
This involves deep technical integration with telecoms, to make sure the delivery paths are stable and reliable. Navigating the world of telecoms can be quite complex, dealing not only with several operators in each country to achieve full coverage, but also with specific country regulations. In recent years, it became possible for digital companies to overcome this challenge through global messaging platforms. These providers worked towards establishing direct connectivity to telecoms around the world, in order to enable delivery to over 800 mobile networks currently operating worldwide. This was the key to making SMS-based 2-factor authentication widely adopted by digital companies and mobile apps all over the world.
This sponsored article first appeared in the June 2016 print edition of Mobile Marketing. You can read the whole issue here.