Why are one-time passcodes so hard to give up?
By Stuart Neal, General Manager Identity, Boku
A recent survey conducted in the UK discovered that, among those who celebrate, the most stressful Christmas-time activity is thinking about what presents to buy (46 percent say it’s stressful), followed by actually buying them (44 percent say it’s stressful).
I don’t think any of us need reminding how incredibly trying this time of the year is. So why then do retailers and other companies continue to rely on technology and solutions that make the customer journey more challenging?
Specifically, in the use of one-time passcodes to enable phone users to confirm their identity to banking, email, and shopping apps. These codes are clunky and waiting for them slows down customer onboarding processes and purchase transactions—increasing the number of customer pain points.
What makes the ubiquity of OTPs worse is they’re damaging to the companies that use them too. Research shows 60 percent of customers will abandon frustrating onboarding experiences. The same percentage are unlikely to return to a mobile site they’ve had issues accessing, meaning a valuable customer opportunity (and revenue) is lost.
For these businesses, making new year’s resolutions this year is a simple task: kick your OTP habit in 2022. To help, let’s take a look at why so many are so reliant on them in the first place.
Convenient… and costly
OTPs gained popularity because they were deemed to be convenient—to the company using them at least. They’re a random, disposable collection of characters, so are almost impossible to guess and don’t need to be remembered by the customer.
The adoption of OTPs has coincided with an m-commerce boom that’s made them part of everyday life. With bricks and mortar shops closed during the pandemic, m-commerce has continued its rapid growth over the last 20 months to the extent that global m-commerce sales are predicted to reach $4.5 trillion by 2024, or 69.9 percent of total retail ecommerce sales.
However, success hasn’t guaranteed security. By taking advantage of social engineering techniques and the inherent vulnerability of OTPs, criminals are increasingly capable of carrying out PIN jacking attacks and SIM-swap fraud to gain control of customer accounts—with account takeovers up 600 percent globally in the past year.
Success hasn’t guaranteed smooth service, either. No customer wants to be left waiting to enter their own account, which is what businesses that use OTPs are asking them to do. And that’s if the code that’s been generated reaches them in the first place.
Research by Salesforce revealed that 71 percent of customers have made a purchase decision based on the quality of the customer experience. And yet, despite the obvious shortcomings of OTPs, the number of companies that rely on SMS OTP as a form of authentication continues to grow.
A silent and seamless solution
Fortunately, there is another way. At Boku, we are championing an invisible, frictionless version of onboarding that happens without effort on the part of the customer and makes the most of the technology already in the palm of the customer’s hands.
With OTPs, the SIM card in your mobile device, which is linked to a phone number registered with a mobile network carrier, becomes a vulnerability. But used in an entirely different way, that SIM holds the key to a global network of seamless, secure identification.
Mobile network operators are trusted custodians of our personal information, so much so, that the existing technology stack they provide can be used to silently authenticate customers directly. Using APIs, Boku’s novel technology solution verifies user identity directly with mobile operator networks to confirm that it is the correct SIM number and device. There is no code, nothing for criminals to intercept or users to manually input. API calls between Boku’s and the mobile network operator’s systems also allow us to check whether a customer’s SIM was changed recently, which could be an indicator of SIM-swap fraud.
The move away from OTPs has already started. Tech giants like Microsoft are leaving SMS OTPs behind for more secure and user-friendly alternatives, while for one e-wallet provider alone, we deliver millions of identity checks a month, which takes the friction out of their customer onboarding process and means fewer calls to their call center from customers struggling with their sign in.
Silent authentication via the mobile carrier is a faster, more secure, and seamless automated experience for the end customer compared to clunky, manual OTPs. It ensures the customer isn’t left feeling like a suspect as they wait to receive a code to access their own account—a better, smoother onboarding experience all round.
About the author
Stuart Neal is General Manager for Identity at Boku Inc. He joined the company in 2011 from Barclaycard, where he was responsible for growing their merchant acquiring division – the second largest in Europe. He is a prominent figure in the European payments market, with specific expertise in deploying innovative payment solutions, such as the roll out of NFC capability in the UK.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.