How to Increase App Security Through Mobile Phone Authentication
As more Internet users become mobile-first, security plays a larger role in the apps and services used in our daily lives. From a business perspective, a company puts its reputation at risk if it is perceived to be lax about verifying user identity. Consequently, ensuring the legitimacy of users has become a critical exercise for businesses, especially community-based ones.
Another equally important aspect is keeping the customers’ trust and loyalty. Loss of reputation is expensive because companies need to spend for the recovery of their brand image as well as acquire new customers to repl
ace the ones who left.
Another motive for increasing application security is the cost to the business after suffering data breaches. If the company can identify where the breach started and pin it down to a user, this may potentially allow for a more effective containment of the damage.
The ideal solution to increase application security should also be easy to implement, without the need for a huge amount of resources while not providing a negative customer experience to the user. This is where mobile phone authentication can help as it is globally accessible and relatively inexpensive.
Phone numbers have become the ultimate user identifier due to phones being ubiquitous and an essential modern day communication accessory. Furthermore, people keep the same number over long periods of time – ten years or more – making the data collection and tracking process a lot easier.
Mobile phone authentication is a relatively easy process for the user. The user gets sent a one-time password (OTP) over a separate communication channel (SMS or voice) than the IP channel (Internet) used by the application. The user then has to input this information into the application. This provides security in case the IP channel is compromised.
As a result, only the owner of that phone number gets access to the password allowing them to log in to the application and verify their identity with an OTP or PIN code. This then creates a genuine association between user and phone number. The ubiquity of the mobile device, and the convenience of its utility as a one-time-use passcode device, enables businesses all over the world to take advantage of the intersection of convenience and security.
Mobile phone authentication is a form of two-factor authentication, with the password being something the user knows and the phone something he/she has. The combination of the user’s login and phone verification can help to safeguard the account.
There are also some added security measures that one can implement with mobile phone authentication:
Setting expiration times
The OTP or PIN code sent to the user can be set to expire within a few minutes. If the user is genuine, this should be enough time for them to get the code from the phone and input it back into the service or application.
This can reduce the window a fraudster has to auto generate enough combinations of OTP or PINs to try and gain unauthorized access to the application.
Blocking virtual numbers
Virtual numbers are numbers without a directly associated telephone line. In effect, the user won’t need a physical phone for the number to operate.
As it can be determined whether a user is providing a mobile, landline or virtual number (e.g., Skype), the user can be blocked or prompted to provide a non-virtual number if they initially provided a virtual number. This will reduce the chances of fraud as the user will need to have a phone associated with the mobile number.
Several uses cases exist for mobile phone authentication in applications:
It is important to confirm the user’s identity when they sign up to your service or application. If a fraudulent user is approved, security is immediately compromised.
Optional mobile phone authentication at login
Allowing the user to opt for mobile phone authentication every time they log into your service or application will provide them with an extra layer of security. It is similar to offering someone an extra padlock on their door so that anyone who tries to break in will have more hurdles to get through.
For example, Twitter has an opt-in login verification feature where the user is sent a code every time they sign in to twitter.com.
Resetting of passwords
The process of resetting passwords can be exploited by hackers or fraudsters to gain unwarranted access to a user’s account. Account recovery questions such as asking the date of birth or mother’s maiden name can be insecure because the answers to these questions may be gleaned from the user’s social media accounts at times. Therefore, it is recommended to add another layer of security such as mobile phone authentication to this process.
Authenticating upgrades or account changes
It is important to add another authentication layer when a user makes upgrades or account changes as these may potentially have a significant impact. This could occur when sharing a service between family members or friends where the account is registered under one person’s name.
Imagine an instance when a child tries to make purchases without consent. Mobile phone authentication will allow the parent to be notified of the attempt before they unknowingly get stuck with a big bill at the end of the month.
Authenticating login from new device/location/IP address
This use case is similar to mobile phone authentication on login. However, not everyone will want to enter a code every single time they log into an application, especially if the service is one that supposedly offers convenience (e.g., delivery apps).
An alternative is to just offer them mobile phone authentication when they log in from a new device, location or IP address for fraud prevention. Facebook’s Login Approvals prompts mobile phone authentication upon login using an unrecognized computer.
Authenticating transactions based on behavioral differences
When a fraudster gets a hold of a user’s account, they will perform transactions that are not in line with a user’s normal activity, usually to maximize their monetary gains. Therefore, it would be beneficial to require mobile phone authentication for transactional activity that seems fishy to prevent fraudulent transactions from going through.
Mobile phone authentication is a globally accessible and relatively inexpensive way to increase application security. It has several use cases such as during signup, login, password reset, account changes, login from new device or location and unusual transactional activity.