OTPs are becoming redundant. They are clunky, manual and insecure, and make customers feel like suspects. But the tech exists for businesses to provide a more joyful, silent, and secure customer onboarding experience.
Here, Stuart Neal, General Manager for Identity, Boku Inc, shares his thoughts on how businesses can kick the OTP habit.
How reliant are we on One-Time Passcodes (OTPs)? Put it this way, By the time you’ve finished reading this sentence, thousands upon thousands of OTPs will have been pinged to mobile devices around the world to enable phone users to confirm to banking, email, or social media apps that we are who we say we are.
OTPs initially grew in popularity because they seemed convenient—or to the service provider at least. Unlike static passwords, they are random, therefore near impossible to guess, and users don’t need to remember them.
But the reality is that OTPs aren’t delivering for company or customer. They are clunky and slow, resulting in a mediocre — at best — customer experience. Sometimes the OTP doesn’t even arrive, or the receiver doesn’t complete the process, meaning a valuable customer opportunity (and revenue) is lost.
Customers are being forced to waste time, waiting for different OTPs to be sent to their mobile device to access multiple applications when they should be transacting online or being onboarded to an app or service seamlessly, silently, and automatically.
Convenient for customers… and criminals
Why do we rely on OTPs? The m-commerce boom and the ubiquity of these single-use codes have lulled us into a false sense of security. The mass of businesses moving online during the pandemic kicked off a trend that will see global m-commerce sales reach $4.5 trillion by 2024, or 69.9% of total retail e-commerce sales.
However, criminals and fraudsters have kept pace, using social-engineering techniques to make the current m-commerce infrastructure vulnerable to multiple attack methods, targeting OTPs with PIN jacking and SIM-swap fraud.
Account takeover events are up 600% globally in the past year, according to Feedzai, exposing just how insecure OTPs are. But it’s not just consumers who have become too accepting of the role OTPs have in their lives. According to a Salesforce report, 71% of customers have made a purchase decision based on the quality of the customer experience, while a study by Signicat shows that 60% of customers will walk away from frustrating onboarding experiences.
And yet, despite the tension between the unwieldy nature of OTPs and the importance of smooth CX to the bottom line, the number of businesses that rely on SMS OTP as a form of authentication continues to grow.
But what if user authentication could be invisible — meaning the customer doesn’t need to do anything — and secure, incurring little or no risk of fraud and no customer attrition?
At Boku, we are championing a world where identification is both seamless and secure. Where verification is a frictionless part of onboarding and happens without effort on the part of the customer. So, how to help businesses quit their OTP habit and make security checks and onboarding a more joyful and seamless experience?
The solution is in hand
The solution has been staring us in the face — tucked in the palm of our hands — all this time. With OTPs, the SIM card in your mobile device, which is linked to a phone number registered with a mobile network carrier, becomes a vulnerability. But used in an entirely different way, that SIM holds the key to a global network of seamless, secure identification.
Mobile network operators are trusted custodians of our personal information, so much so, that the existing technology stack they provide can be used to silently authenticate customers directly. Using APIs, Boku’s novel technology solution verifies user identity directly with mobile operator networks to confirm that it is the correct SIM number and device. There is no code, nothing for criminals to intercept or users to manually input. API calls between Boku’s and the mobile network operator’s systems also allow us to check whether a customer’s SIM was changed recently, which could be an indicator of SIM-swap fraud.
As you can see, silent authentication via the mobile carrier is a more secure, fast, and seamless automated experience for the end customer compared to clunky, manual OTPs. It also ensures the customer isn’t left feeling like a suspect as they wait to receive a code to access their own account — a better, smoother onboarding experience all round.
For one e-wallet provider alone, we deliver millions of identity checks a month, which takes the friction out of their customer onboarding process and means fewer calls to their call centre from customers struggling with their sign in.
The shift away from OTPs has already started. Governments, big tech companies like Microsoft and banks, are leaving SMS OTPs behind, for more secure and user-friendly alternatives.
Seamless and silent authentication via mobile network operator data will help businesses worldwide significantly improve the customer experience. It’s high time more businesses kicked the OTP habit and opted for a better, more secure, and customer-friendly alternative.
