A small but persistent percentage of SMS One-Time Passwords (OTPs) sent by two-factor authentication systems never reach users because organisations have no way of spotting incorrect mobile numbers, new research has suggested.
The Ponemon study for mobile interaction firm tyntec questioned 1,861 security and IT staff across Asia, Europe and the US, finding that OTP technology was fairly popular, with just under half of those surveyed using it.
Of the 53 percent that had deployed it in some form (with some overlap), 43 percent had used it for identity verification or registration, 33 percent for each login, and 31 percent for specific transactions.
The survey uncovered a mixed picture when it came to awareness of OTP delivery failure rates, with 18 percent reporting error notifications and another 33 percent aware that messages have not been delivered but not sure why.
Of the nearly one in five that had received a delivery error, the estimated average failure rate was 13 percent. In half of these cases, the underlying cause was an invalid mobile number supplied by the end user with unreliable SMS delivery services accounting for most of the other failures.
Such a failure rate would put the number of non-delivered OTPs at only a few percent but this is probably an underestimate of a problem some IT teams are not even aware of.
The survey found that two thirds of respondents would be interested in some form of number validation in real time on order to check numbers before SMS OTPs were sent.
“In addition to accruing costs in messaging fees, invalid mobile numbers also result in unauthenticated One-Time Passwords, un-activated accounts and un-met expectations on behalf of both the sender and end-user,” said tyntec CTO and founder, Thorsten Trapp.
“By performing a validity check of the mobile numbers provided in real-time, companies can instantly notify users. As a result, service providers can improve customer satisfaction with fewer complaints, reduced customer support costs and higher conversion rates.”
This, of course, fits with tyntec’s view that organisations investing in OTP two-factor authentication technology need a layer of number verification as well; over two thirds of respondents agreed this resulted in a better customer experience and lower support costs. Seventy-two percent were not currently using validation of any kind.