IT Security Pros Abandoning Traditional Security Measures In Favor Of SMS-Based Two-Factor Authentication

Ponemon and Tyntec survey finds 68% believe username/passwords not enough

March 13, 2014

5 Min Read


San Francisco, CA – March 12, 2014 – New research by the Ponemon Institute, sponsored by mobile interaction service provider, tyntec found the vast majority (68%) of North American organizations agree there's a need for more secure authentication methods over the traditional username and password method. As an alternative, nearly half (46%) plan to extend the usage of SMS-based two-factor authentication (2FA) in 2014 for identity verification and activation of online services. While another 72% felt this type of added protection would improve the customer experience as a result of enhanced mobile authentication features like mobile number verification. The independent research report, "Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication," surveyed more than 1,800 IT and IT security practitioners around the world.

As online security breaches become more prevalent and disruptive, the emerging verification method of choice is SMS-based 2FA due to its user-friendliness, cost effectiveness and high level of security. The Ponemon report found that companies implementing SMS-based 2FA use the method mainly for identify verification in user registration (43%), each login (38%) and transactions (33%).

Influx of failed One-Time Passwords (OTPs)

Despite its effectiveness, organizations implementing SMS-based 2FA are experiencing issues when it comes to implementation and conversion rates as a result of invalid mobile numbers provided by end-users. According to the survey, 29% of respondents in North America cite that on average 11-20% of OTPs fail to be delivered. Of that, 48% on average fail because an invalid mobile number was entered by the end-user.

As part of the authentication process, users who opt-in for SMS-based 2FA are required to share their mobile number with application providers to receive a unique, One-Time Password (OTP) sent via SMS to authenticate their identity. The SMS containing the OTP must be entered and authenticated to successfully complete the transaction, registration or download process. Unauthenticated OTPs translate into inactivated accounts, incomplete transactions, and ultimately, a poor customer experience.

But even in the face of gaping discrepancies, 29% of North American respondents are still unaware that SMS-based OTPs sometimes don't get delivered – 30% are aware of the issue but are unsure of the reasons why OTPs fail to reach the end-user. The cumulative impact of failed OTPs is a heavy burden on service providers looking to increase security.

Solution: mobile number verification

To address the issue of invalid mobile numbers and unauthenticated OTPs, service providers are looking into mobile number verification tools such as tyntec's OTP SMS service to pre-verify mobile numbers before sending OTPs. The survey found that 68% of North American respondents would be interested in the ability to verify where end-users are located and whether their mobile number is valid in real-time to strengthen security measures and reduce the amount of failed OTPs. Currently, only 6% of North American respondents verify recipient data before sending OTPs.

"To service providers looking to increase security for their users, the ability to pre-verify mobile numbers is essential. In addition to accruing costs in messaging fees, invalid mobile numbers also result in unauthenticated One-Time Passwords, un-activated accounts and un-met expectations on behalf of both the sender and end-user," said Thorsten Trapp, Co-Founder and CTO of tyntec. "Companies therefore need to ensure that they strike a balance between cost and reliability from the beginning. By performing a validity check of the mobile numbers provided in real-time, companies can instantly notify users of the mistake and allow access to vital services that they've requested or subscribed to. As a result, service providers can improve customer satisfaction with fewer complaints, reduced customer support costs and higher conversion rates."

Larry Ponemon, Chairman and Founder of the Ponemon Institute, added, "Enterprises and internet companies know that the traditional username and password is simply not enough anymore. However, companies deploying SMS-enabled two-factor authentication need to ensure that One-Time Passwords aren't being sent to invalid mobile numbers. As a result, the research confirmed that 67% of global respondents said customer experience improves when SMS-based two-factor authentication is combined with real-time verification of the receiver's mobile number."

For more information, download the free report and infographic at


Research was conducted by the Ponemon Institute in January 2014 in four global regions: North America (NA), Europe, Middle East and Africa (EMEA), Asia-Pacific plus Japan (APJ) and Latin America plus Mexico (LATAM). The study utilised a demographically balanced omnibus sample of IT and IT security practitioners positioned in Forbes Global 2,000 companies with bona fide credentials. Survey procedures were based on scientific methods that permitted extrapolation and population inferences.

About tyntec

tyntec is a mobile interaction specialist, enabling businesses to integrate mobile telecom services for a wide range of uses – from enterprise mission-critical applications to internet services. The company reduces the complexity involved in accessing the closed and complex telecoms world by providing a high quality, easy-to-integrate and global offering using universal services such as SMS, voice and numbers.

Founded in 2002, and with more than 150 staff in six offices around the globe, tyntec works with 500+ businesses including mobile service providers, enterprises and internet companies.

About Ponemon Institute

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

Press contact tyntec Press contact US PR agency

tyntec Barokas Public Relations

Caroline Dreier Frances Bigley

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights