The Death of Passwords: How Telephone Numbers are Reinventing Security

Published July 21, 2015 by Tony Jamous

Internet services are increasingly turning away from conventional forms of user identification and passwords and instead looking towards authentication via mobile phone, a measure that significantly increases security.

Although businesses have not put all the mechanisms in place to effectively identify their users, it has become a critical threat they are now taking very seriously. Not verifying users can have a negative impact not only on customer acquisition and retention, but also brand image.

The overarching best practice is to pre-empt these threats at the source. That means when it comes to the hacking of genuine accounts or the creation of false accounts which can be used to send spam and inappropriate content, companies need to ensure that those registering are who they say they are.

Mobile phone numbers have emerged as the ultimate way to verify user identity. Here’s why:

  • Mobile phone numbers are ubiquitous and they have global reach, covering 6 billion people across the world

  • Phones are enabled for near instant communications and they are all interoperable – each phone will work on practically any phone, in any country and across any network

  • Phone numbers are hard to fake. It costs carriers a lot of money to create new phone numbers, and it requires a tremendous amount of resources to create and maintain brand new numbers. There are also services that detect virtual numbers so that these cannot be used to create fake accounts.

How does phone verification work?
The user enters their phone number into the app or website, which then sends them a PIN code via SMS or voice message. The user enters that PIN and if it is correct, the app or web service knows that phone number belongs to that user. Even though it may seem simple, there are multiple factors that need to be kept in mind to ensure this process is performed successfully:

  • An intuitive user experience with clear instructions for the user – since you are asking the user to exit your app or online portal to look at their text message, you want to process to be as easy as possible

  • To be secure, the generated PIN must comply to the RFC6238 standard. This will make the message temporary and it will expire within the appropriate time to enable delivery

  • Different parts of the world have specific preferences and regulations. Language and PIN length must be customized to achieve high conversion rates

  • It is critical to track and measure conversion rates to get the proper customer acquisition analytics by region and by service

At the end of the day, what matters is to achieve the highest possible success rate when verifying a legitimate user. If the message doesn’t arrive or arrives too late, the end-user may abandon the process. To ensure the authenticity of their users, companies must look for a vendor with great global coverage, is well integrated with carriers and uses technologies to control quality of communication with the ability to dynamically change text message delivery routes.