In Context

The next-generation communications blog from Nexmo

< Back

Phone Number Verification: A Stronger Alternative to Traditional Passwords

March 9, 2017 Published by

Consumers feel increasingly threatened by data breaches, and for good reason: 40 percent of internet users have been victimized by stolen passwords, according to security company Ping Identity. However, consumers aren’t the only ones who suffer from cybercrime. As shown in the Cost of Data Breach report by the Ponemon Institute, the impact of security breaches on businesses and brands is devastating, not to mention the cost of following up with hours of expensive customer support and reputation reestablishment.

Passwords leave the door open

To keep up with consumer demand for access to services anytime, anywhere, and from any device, businesses have increasingly been storing sensitive data in cloud apps. While this makes services like Box, LinkedIn or Facebook much easier to use, users must remember dozens of passwords. In fact, people are often overwhelmed by the number of passwords they typically need to remember, and they address this challenge by choosing dangerously common passwords that they (and hackers) will find simple to remember or figure out when they forget. And it is not just simple passwords that are a problem. The Heartbleed bug discovered in 2014 clearly showed that passwords do not provide sufficient protection.38426040_thumbnail_resizes

If not passwords, then what?

Each alternative to passwords has its advocates, whether it’s promoted for biometrics, email-based authentication, social network identities, or various clever authentication apps and ID tokens. While some of these alternatives may suit specific scenarios, none of these works for applications requiring global access and a high level of security. Consider that:

  • Biometrics and wearables are expensive and not yet universally adopted.
  • Social network and email logins are easily faked, resulting in bulk registrations.
  • ID tokens come at an additional cost and are easily lost.

Phone number verification uses the ultimate user identity

Authentication based on mobile phone number verification is an ideal replacement for passwords for multiple reasons:

  • It’s global and long-lasting: nearly every person around the globe has at least one phone number, which they retain for decades.
  • Phone numbers are resilient: phone numbers are relatively expensive and time-consuming to fake.
  • Using them for security is affordable: no additional hardware is required and sending/receiving messages is inexpensive.

Verify PhonePhone-based authentication involves sending a one-time password (OTP) to a user over a separate communication channel (SMS or voice) from the IP channel (internet) used by the application, providing security in case the IP channel is compromised. Only the owner of that phone number gets access to the password and is able to log in to the application and verify their identity with a PIN code. Companies can have this single-use password expire within a few minutes for added security, preventing scammers from collecting old PIN codes and using them later en masse to create fraudulent signups.

Phone number verification also can be used in conjunction with traditional passwords to provide two-factor authentication, because a password is something the user knows and a phone is something the user has.

App developers don’t need to start from scratch

Implementing phone number verification that works worldwide is complex because of the advanced protocols and the intricate nuances of telco infrastructure. But there are some easy-to-use solutions readily available, like phone verification APIs that allow you to easily replace traditional passwords. Securing information with phone number verification is a solid way for businesses to protect sensitive user data–and thereby protect their brand reputation.

Get more information at www.nexmo.com/verify.

Categorised in: ,

This post was written by