The Death of Passwords: How Phone Numbers are Reinventing Security

Published May 27, 2015 by Stephan Schirrecker

On Tuesday, April 28, I had the opportunity to deliver a keynote to executives of gaming companies at GMIC Beijing. The title was “The Death of Passwords: How Phone Numbers are Reinventing Security.”

The topic came up as many are predicting mobile gaming will be blindsided by the next huge security attack. My goal was to explain how savvy gaming companies are taking a page from chat applications to ditch user IDs and passwords altogether, relying only on people’s cell number to dramatically increase security.

For years mobile apps have ignored security threats – a recent study by IBM found that 40% of apps do not have security measures for when they are hacked. Mobile gaming companies are some of the worst offenders as the pace for innovation and acquiring new users is far greater than apps in other industries like media, travel, and hospitality. According to the same study, 65% of companies admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77% cite rush-to-release pressures as a primary reason why mobile apps contain vulnerable code.

I have been exploring the issue in more depth and talking to customers in the gaming industry. Also, at Nexmo we have a lot of customer data based on the expertise acquired delivering more than 3 billion phone verification in the last two years, including all the top communication apps such as WeChat, Line, Viber, etc.

What are gaming customers telling us? Although they have not put all the mechanisms in place to secure their users, it has become a critical threat they are now taking very seriously. Not verifying users can negatively impacts their customer retention and brand.

Here are the key threats:

  • Spam from fake accounts is a major problem for social networks and also threatens gaming companies. Typical forms of abuse include undesired content, excessive posting, link baiting and sending bulk messages.
  • Fraudsters post fake listings, display fake products, causing financial damages both for users and companies. For gaming specifically, referral fraud is a threat as fraudsters will sign up under hundreds of fake accounts to abuse promotions for virtual goods.
  • Hacked accounts and account takeovers (ATO) can have a direct financial impact on businesses, e.g., hacked Netflix accounts are sold for $2 on some internet forums. Handling fraud results in financial damage for chargebacks, higher customer care costs and loss of customers.

The overarching best practice is to pre-empt these threats at the source. That means when users sign up, gaming companies need to ensure that people signing up to play games are who they say they are. Phone Numbers have emerged as the ultimate way to verify user identity, and there are several reasons for this:

  • They have the largest reach, covering 6 billion people across the world
  • Phones are enabled for instant communications and they are all interoperable – each phone  will work on practically any phone, in any country and across any network
  • Phone numbers are hard to fake. It costs carriers a lot of money to create new phone numbers, and it requires a tremendous amount of resources to create and maintain brand new numbers. There are also services that detect virtual numbers so that these cannot be used to create fake accounts

How does phone verification work? On the surface, phone number verification for registration looks very simple. The user enters their phone number in the app. The app then sends them a PIN code via SMS or voice message. The user enters that PIN and if it is correct, the app knows that phone number belongs to that user. Voila. Even though it may seem simple, there are multiple factors that need to be kept in mind to ensure this process is performed successfully:

  • An intuitive user experience, designed with the right flow, with clear instructions for the user
  • To be secure, the generated PIN must comply to the RFC6238 standard
  • There needs to be a failover process, as the user may not get the PIN on the first attempt because of deliverability issues, so it is critical to retry and use SMS or voice
  • The PIN must be temporary and expire within the appropriate time to enable delivery
  • Different parts of the world have specific preferences and regulations. Language, PIN length and flow must be customized to achieve high conversion rates
  • It is critical to track and measure conversion rates to get the proper customer acquisition analytics by region and by service

I kept the most important factors for the end: deliverability and latency. At the end of the day what matters is to achieve the highest possible success rate when verifying a legitimate user. If the message doesn’t arrive or arrives too late, the end-user may abandon the process. Companies must look for a vendor with great global coverage, is well integrated with carriers and uses technologies to control quality of communication with the ability to dynamically change text message delivery routes.

Nexmo has recently released a Cloud Communication API called Verify. It is a turnkey solution that delivers a full phone verification process with high reliability. It does not require telco expertise, provides a dashboard for customers to analyze their conversion rates, country adaptors for local compliance, and text-to-speech failover.

What’s unique about Nexmo Verify is its direct-to-carrier integration coupled with Adaptive Routing™: it dynamically chooses SMS routes to use the fastest, most reliable ones. Nexmo’s engineering team combines the expertise in telecommunication and Cloud APIs required to build such algorithms.

At the end of my presentation I asked the audience to try our phone verification to see how it fits their needs. Trying it out is simple, signing up on (you will get verified – yes, we do follow our own guidance), and running the API against your own phone number. After all, a few steps could save you a lot of trouble.

Leave a Reply

Your email address will not be published.