In our blog "Should You Use SMS as a Security Factor for Customers" we discussed many of the drawbacks to SMS including cost, security and user experience. There are clear advantages to using push notifications and trusted devices to authenticate customers and allow them to approve transactions, but a trusted-device-only approach may not be enough. The problem is that you can't force your customers to download your mobile application. Ideally, your customers would all download it, but unless you have a mobile-app-only business, this just isn't realistic.
Use SMS as an Alternative Authentication Factor
Even if your mobile app has won awards for usability and has the added advantage of acting as a secure second factor to protect your customers' data, you'll never convince your entire customer base to download your app. This is where it becomes necessary to have alternative second factors.
Imagine a funnel where the top represents your most secure and convenient second factor. That's where you want most of your customers to be. To get there, you may promote your mobile app and communicate the additional security advantages it offers for those who download it. However, you'll still have people who will slip lower in the funnel and require an alternate second factor. SMS is an excellent option for the second layer of that funnel due to its widespread use and reach.
SMS was never meant to be a medium for security. Some clever person started using it that way. However, security professionals like the NIST agency are realizing that phone numbers are easy to spoof and intercept. SMS does have some advantages. Everyone already has phone numbers, so despite its additional cost, security holes and non-branded messaging, it's easier for users to adopt. It's also more secure than not having a second factor at all. Using it for a smaller portion of your audience or for specific use cases will also save you on costs when compared to offering SMS as your only second factor.
Still, you may have some customers who don't want to share their phone numbers, or who have lost their phones. So even beyond SMS, you'll have to go even lower in the funnel and think of how to verify user identities in increasingly rare and insecure situations. At the very bottom of the funnel, you may have customers who have lost their phones and forgotten their passwords. It's up to you to decide how to handle those situations. Maybe you resort to an email-based flow or server-based biometrics for those account recovery use cases.
These approaches to less common account recovery situations may be less secure or more costly. However, by giving most of your customers convenient and secure options at the top of the funnel, you can drastically reduce the usage of these bottom-of-the-funnel methods and provide most of your customers with a low-cost, convenient and secure second factor.
Enhance the Experience of SMS
Within the SMS medium, there are a few things you can do to make enhancements to the experience. For example, in addition to embedding push notifications for web authentications and transaction approvals in your mobile application, the PingID SDK also allows you to use SMS notifications as an alternative. These SMS notifications can have customized messages with variables for one-time passwords (OTPs) and other details.
This allows you to create customized messages for specific situations. For example, if a user gets an SMS message with an OTP to approve a CSR trying to verify their identity (instead of using less secure KBA), the message might look like this:
If you're approving a transaction that's more than a dollar amount threshold, you might send a message that looks more like this, with the transaction amount dynamically populated by your server:
There are other capabilities that can be used to further customize messages and make things more convenient for the end user, including the ability to dynamically identify details about the device requesting access and more.
Just like push notifications from the mobile SDK, you can use these SMS notifications as alternative second factors to approve password resets, transactions, CSR identity verifications and anything else you can imagine.
Manage a Flexible Network of Users' Trusted Devices
When you combine push notifications with SMS second factors, users can choose their preferred second factor. They can also manage their network of second factors which may include both trusted devices and phone numbers used for SMS. As other authentication methods become available, management of those will also be available in this way.
*Manage both trusted devices and phone numbers for SMS.
About the PingID SDK
The PingID SDK can add security to web and mobile-web authentications, transaction approvals and much more. It can utilize device-based push notifications that can be embedded right into your own mobile app, or customizable SMS messages as an alternative second factor. The PingID server leverages your customers' preferred second factor to strike a balance between convenience and security.