Phone Number Verification: A Stronger Alternative to Traditional Passwords
Consumers feel increasingly threatened by data breaches, and for good reason: hundreds of millions of previously-used passwords have fallen into the hands of hackers. However, consumers aren’t the only ones who suffer from cybercrime. As shown in the Cost of Data Breach report by the Ponemon Institute, the impact of security breaches on businesses and brands is devastating, not to mention the cost of following up with hours of expensive customer support and reputation reestablishment.
Passwords leave the door open
To keep up with consumer demand for access to services anytime, anywhere, and from any device, businesses have increasingly been storing sensitive data in cloud apps. While this makes services like Box, LinkedIn or Facebook much easier to use, users must remember dozens of passwords. In fact, people are often overwhelmed by the number of passwords they typically need to remember, and they address this challenge by choosing dangerously common passwords that they (and hackers) will find simple to remember or figure out when they forget. And it is not just simple passwords that are a problem. The Heartbleed bug discovered in 2014 clearly showed that passwords do not provide sufficient protection.
If not passwords, then what?
Each alternative to passwords has its advocates, whether it’s promoted for biometrics, email-based authentication, social network identities, or various clever authentication apps and ID tokens. While some of these alternatives may suit specific scenarios, none of these works for applications requiring global access and a high level of security. Consider that:
- Biometrics and wearables are expensive and not yet universally adopted.
- Social network and email logins are easily faked, resulting in bulk registrations.
- ID tokens come at an additional cost and are easily lost.
Phone number verification uses the ultimate user identity
Authentication based on mobile phone number verification is an ideal replacement for passwords for multiple reasons:
- It’s global and long-lasting: nearly every person around the globe has at least one phone number, which they retain for decades.
- Phone numbers are resilient: phone numbers are relatively expensive and time-consuming to fake.
- Using them for security is affordable: no additional hardware is required and sending/receiving messages is inexpensive.
Phone-based authentication involves sending a one-time password (OTP) to a user over a separate communication channel (e.g. SMS, MMS, WhatsApp, Facebook Messenger, Viber or even voice) from the IP channel (internet) used by the application, providing security in case the IP channel is compromised. Only the owner of that phone number gets access to the password and is able to log in to the application and verify their identity with a PIN code. Companies can have this single-use password expire within a few minutes for added security, preventing scammers from collecting old PIN codes and using them later en masse to create fraudulent signups.
Phone number verification also can be used in conjunction with traditional passwords to provide two-factor authentication, because a password is something the user knows and a phone is something the user has.
App developers don’t need to start from scratch
Implementing phone number verification that works worldwide is complex because of the advanced protocols and the intricate nuances of telco infrastructure. But there are some easy-to-use solutions readily available, like phone verification APIs that allow you to easily replace traditional passwords. Securing information with phone number verification is a solid way for businesses to protect sensitive user data–and thereby protect their brand reputation.
Get more information at www.nexmo.com/verify.