Cyber security (authentication) trends for 2022

By Lee Suker, head of authentication, Sinch

In the on-demand economy, customers now expect to be able to engage with their service provider – be it a streaming service, online retailer, or bank, at the click of a button and on the channel of their choice. The pandemic, which has established at-a-distance contact, has of course accelerated this demand.

It’s also becoming apparent that many of the changes in behaviour are here to stay. Consumerresearch from Sinch conducted last year, found that fifty-eight per cent say they’ll continue to avoid crowds, 52 per cent will avoid travel, and 46 per cent will spend less time inside shops.

As a result, financial services providers are under mounting pressure to leverage data, AI and automation to provide a personalised and seamless customer experience, whether the customer is online, via an app or chat bot, or simply calling the customer service phone line. Customer experience, through all digital touch points, is essential to winning and retaining customers.

Balancing risk and user experience

It’s also fair to say that banks’ digital transformation is underpinned by establishing digital trust including on-boarding, authentication and enabling conversations. Yet these aspects of the customer experience are still lagging behind in the banking sector and hobbling customer satisfaction.

Too often, it seems, verifying users, in any scenario, is a no compromise security issue achieved at the expense of the user experience, or worse, lack of engagement. Lessons can be learnt from other industry sectors where targeted, yet valuable engagement can be achieved albeit with a lower security bar.

For many sectors, the go to method for securing access is two-factor authentication (2FA). There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or smartphone), and something you are (such as your fingerprint). Two-factor means using two of these options – most commonly the user receives a number code via a simple text message.

Whilst using text messages for 2FA is not completely infallible from bad actors using social engineering techniques like SIM swap fraud, the banking sector is heavily reliant upon it, and has proved that it performs well, particularly for transaction approvals. However, financial organizations need more than one-time passwords in their arsenal.

Whilst appropriate authentication techniques should always be used, the point to make here is that 2FA using SMS can come at a cost to the user experience. It interrupts the user’s flow. Even a simple process, like entering a one time numerical password, requires the user to wait for an SMS to arrive, change apps, copy a code, and go back to the original app or laptop screen and paste or type in the code before returning to their original intent.

While mobile operating systems are making it easier to enter a one-time password with less context switching, it still represents a disruption, and in the online world, where a consumer’s satisfaction with a product or service can be trashed by one poor experience, it’s vital that friction is kept to a minimum.

Furthermore, although 2FA is basic hygiene, consumers don’t always welcome it. There’s evidence that this is the case.A 2020 study from Yubico found that 23 per cent of respondents found SMS one-time passwords to be very inconvenient.

2FA can also be costly. It is subject to the wholesale price of SMS offered by mobile operators or aggregators (in some countries like Singapore the wholesale price is high and therefore prohibitive). Large retail banks rely heavily on 2FA and can expect to send millions of SMS messages every month. Shaving fractions off that operational cost can represent huge savings.

An Adaptable Approach

Mobile identity and omnichannel engagement have evolved. New authentication techniques are now becoming available, typically through an API enabled by communications as a platform (CPaaS).

Two alternatives in particular have come to the fore.

• Data Verification

Data Verification works on the interplay between the IP address that the mobile network operator assigns to a user’s telephone number when they are using mobile data. The verification works by confirming that the telephone number associated with the identity of the end-user that is trying to perform a verification, is identical to the number associated with the end-users mobile data session.

The service is very fast (sub two seconds) very secure since it’s impossible to intercept via a ‘man in the middle attack’ or via social engineering since it’s not reliant on any piece of information that the user has had to memorise at some point.

• Flash Call Verification

A voice call is initiated and terminated on the end-users device. The calling party number is selected randomly from a dedicated pool of numbers associated with the service. An android phone answers the call automatically and uses the calling party number as the authentication instead of a one time password code that would normally be sent via SMS.

Similarly to Data Verification, Flash Calls are faster, typically more secure and cheaper than SMS since the connection is just acknowledged by the Mobile Network Operator as an unanswered call. In fact we estimate that Flash Calls (with SMS as a fall back) can save up to 25 per cent of the authentication cost and can be delivered up to 70 per cent faster. That’s important when you consider how some banks use millions of SMS one-time passwords as their, often only, channel for authenticating customers.

There’s also accessibility to consider, an area where banks have traditionally struggled to keep up, and with the need to meet compliance specifications, an area that needs nourishing. With SMS based 2FA there is little flexibility with the authentication of the visually impaired for example. Now however, Phone Call verification, where the user receives an automated phone call with a numerical password read out, has become widely available via CPaaS but is seldom offered.

The Customer Wins

As banks and the payment platforms that are integrated with them increasingly shift online, the user experience is becoming a top priority. Most security-savvy companies understand that enabling two-factor authentication is one of the best ways to protect accounts online.

This brings me perhaps to the most important point about both Flash Calls and Data Verification authentication techniques. They both happen in the background without any need for the user to intervene. So, as well as being secure and significantly cheaper, they are also seamless – they just happen!

In the near future just like with so many other as-a-service- platforms, we are likely to see single unified APIs being offered that deliver authentication that is able to determine the most appropriate method based on consumer expectations of a slick user experience, accessibility and the service characteristics – account sign-ups, transaction approvals or logins and also the business goals of any given company, for example, increasing successful on-boarding to a new banking app or simply reducing operational costs.