Endpoint
3/12/2014
02:47 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

IT Security Pros Abandoning Traditional Security Measures In Favor Of SMS-Based Two-Factor Authentication

Ponemon and Tyntec survey finds 68% believe username/passwords not enough

San Francisco, CA – March 12, 2014 – New research by the Ponemon Institute, sponsored by mobile interaction service provider, tyntec found the vast majority (68%) of North American organizations agree there's a need for more secure authentication methods over the traditional username and password method. As an alternative, nearly half (46%) plan to extend the usage of SMS-based two-factor authentication (2FA) in 2014 for identity verification and activation of online services. While another 72% felt this type of added protection would improve the customer experience as a result of enhanced mobile authentication features like mobile number verification. The independent research report, "Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication," surveyed more than 1,800 IT and IT security practitioners around the world.

As online security breaches become more prevalent and disruptive, the emerging verification method of choice is SMS-based 2FA due to its user-friendliness, cost effectiveness and high level of security. The Ponemon report found that companies implementing SMS-based 2FA use the method mainly for identify verification in user registration (43%), each login (38%) and transactions (33%).

Influx of failed One-Time Passwords (OTPs)

Despite its effectiveness, organizations implementing SMS-based 2FA are experiencing issues when it comes to implementation and conversion rates as a result of invalid mobile numbers provided by end-users. According to the survey, 29% of respondents in North America cite that on average 11-20% of OTPs fail to be delivered. Of that, 48% on average fail because an invalid mobile number was entered by the end-user.

As part of the authentication process, users who opt-in for SMS-based 2FA are required to share their mobile number with application providers to receive a unique, One-Time Password (OTP) sent via SMS to authenticate their identity. The SMS containing the OTP must be entered and authenticated to successfully complete the transaction, registration or download process. Unauthenticated OTPs translate into inactivated accounts, incomplete transactions, and ultimately, a poor customer experience.

But even in the face of gaping discrepancies, 29% of North American respondents are still unaware that SMS-based OTPs sometimes don't get delivered – 30% are aware of the issue but are unsure of the reasons why OTPs fail to reach the end-user. The cumulative impact of failed OTPs is a heavy burden on service providers looking to increase security.

Solution: mobile number verification

To address the issue of invalid mobile numbers and unauthenticated OTPs, service providers are looking into mobile number verification tools such as tyntec's OTP SMS service to pre-verify mobile numbers before sending OTPs. The survey found that 68% of North American respondents would be interested in the ability to verify where end-users are located and whether their mobile number is valid in real-time to strengthen security measures and reduce the amount of failed OTPs. Currently, only 6% of North American respondents verify recipient data before sending OTPs.

"To service providers looking to increase security for their users, the ability to pre-verify mobile numbers is essential. In addition to accruing costs in messaging fees, invalid mobile numbers also result in unauthenticated One-Time Passwords, un-activated accounts and un-met expectations on behalf of both the sender and end-user," said Thorsten Trapp, Co-Founder and CTO of tyntec. "Companies therefore need to ensure that they strike a balance between cost and reliability from the beginning. By performing a validity check of the mobile numbers provided in real-time, companies can instantly notify users of the mistake and allow access to vital services that they've requested or subscribed to. As a result, service providers can improve customer satisfaction with fewer complaints, reduced customer support costs and higher conversion rates."

Larry Ponemon, Chairman and Founder of the Ponemon Institute, added, "Enterprises and internet companies know that the traditional username and password is simply not enough anymore. However, companies deploying SMS-enabled two-factor authentication need to ensure that One-Time Passwords aren't being sent to invalid mobile numbers. As a result, the research confirmed that 67% of global respondents said customer experience improves when SMS-based two-factor authentication is combined with real-time verification of the receiver's mobile number."

For more information, download the free report and infographic at http://www.tyntec.com/resources/whitepapers.html.

Methodology

Research was conducted by the Ponemon Institute in January 2014 in four global regions: North America (NA), Europe, Middle East and Africa (EMEA), Asia-Pacific plus Japan (APJ) and Latin America plus Mexico (LATAM). The study utilised a demographically balanced omnibus sample of IT and IT security practitioners positioned in Forbes Global 2,000 companies with bona fide credentials. Survey procedures were based on scientific methods that permitted extrapolation and population inferences.

About tyntec

tyntec is a mobile interaction specialist, enabling businesses to integrate mobile telecom services for a wide range of uses – from enterprise mission-critical applications to internet services. The company reduces the complexity involved in accessing the closed and complex telecoms world by providing a high quality, easy-to-integrate and global offering using universal services such as SMS, voice and numbers.

Founded in 2002, and with more than 150 staff in six offices around the globe, tyntec works with 500+ businesses including mobile service providers, enterprises and internet companies.

About Ponemon Institute

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

Press contact tyntec Press contact US PR agency

tyntec Barokas Public Relations

Caroline Dreier Frances Bigley

+49 89 202 451 140 +1 206 264 8220

press@tyntec.com

tyntec@barokas.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Scott G.
50%
50%
Scott G.,
User Rank: Apprentice
3/13/2014 | 5:16:58 PM
re: IT Security Pros Abandoning Traditional Security Measures In Favor Of SMS-Based Two-Factor Authentication
The authors of this article and the associated studies make an excellent point about verification of mobile numbers. However, in SMS-based authentication methodologies that utilize a message sent *TO* the mobile device that verification is of little use as there cannot, by definition, be any assurance that the key has been received by ONLY that mobile number.

Hacking of inbound (otherwise known in the industry as "MT" or mobile-terminated) messages is notoriously commonplace and while the intention here is admirable it is clear that they only method of truly verifying a mobile number is through a message sent *FROM* the phone. Mobile-originated ("MO") SMS-based systems are de facto inherently more secure.

In fact, an MO-SMS system of authentication actually has two verifications involved. The first is done by the carrier which verifies that the unique device identifier (UDID) of the phone sending the text message is matched in their registration database with the mobile number from which it is purported to be sent. If a hacker attempts to "spoof" the number it is caught by the carrier as not matching the UDID and stopped at the source. Accordingly the MO-SMS authentication message would never even reach the authentication system and thus no authentication would occur.

The second form of verification is the mobile number; each MO-SMS sent from a mobile device is accompanied by its mobile number (guaranteed accurate by the first verification described, above) and can be used to authenticate that the message is coming from the correct device. Once that occurs the key that is sent *FROM* the device can be compared to the issued key (the OTP) and access granted or denied.

Sophisticated MO-SMS services would also allow for PINs to be prepended or appended as well as additional layers of protection, such as a randomly determined destination for the authentication key to be sent; this would make it virtually impossible for a hacker as they would not even know where the message had to be directed.

SMS-based authentication services are absolutely the best approach as described thoroughly in this article but the most secure method is one that uses a mobile-originated SMS for highly secure authentication.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6649
Published: 2014-09-23
The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6650
Published: 2014-09-23
The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio