Over the years, as critical aspects of how we work, study and manage our personal lives have moved online in the form of an ever-growing array of apps and websites, our authentication methods have also had to evolve.
It became critical for businesses to readily and proactively confirm users before authorising entry, whether they were providing banking, shopping, or socialising services. And it was to meet this need that the One-Time Passcode was created (OTP).
The traditional password is a 60-year-old innovation designed for an analog world, easily forgotten or lost, very easily stolen and compromised. Security professionals and engineers updated the solution by tethering users to their devices, such as their mobile phones, to address the shortcomings of the password on its own and make them more suitable for a digital landscape.
Businesses send a passcode – which usually expires after a set period – in an SMS message to a user’s phone number to add an extra layer of security to user authentication.
With mobile adoption increasing, so is the volume of transactions taking place on these devices. With this comes shifting customer expectations, particularly as users come to expect hyper-personalised online experiences. The UAE has the highest smartphone penetration rate in the MENA region, influencing the growth of mobile commerce (or m-commerce). The share of m-commerce in the UAE e-commerce market increased to 42 percent in 2020.
Due to its convenience and seeming infallibility, most online retailers adopted the OTP. However, OTPs don’t always offer a seamless user experience. While SMS OTPs are mobile-first, they require the user to complete the transaction via another channel. This can be aggravating, at the very least. In the worst-case scenario, users may abandon transactions due to the friction they create, which prevents a smooth payment experience. There are also deliverability and network coverage issues to consider, such as customer base segments that do not have extensive mobile network coverage.
Furthermore, many businesses are unaware that OTP does not prove a user is who they claim to be. All it proves is that the person attempting to access the system received the OTP. This is also not 100% guaranteed either. However, the OTP became a victim of its success when cybercriminals became highly motivated to figure out how they work – which they now have, due to its widespread popularity.
In short, bad actors now have access to an entire system that was designed to improve security.
The question is: What should businesses do about it?
A truly digital solution
The key to businesses overcoming the flaws of OTPs is first to recognise that they are no longer the foolproof solution they once were. This could imply either abandoning their use entirely or combining it with a different layer of security designed specifically for digital life, such as behavioral biometrics.
Static and dynamic behavioral biometrics are the two types of behavioral biometrics. Physical identifiers such as fingerprints, faces, voices, iris, retina, vascular, and palmprints are used in static biometrics. The other type is dynamic inputs, such as the different ways users can type or swipe on their device.
By utilising behavioral biometrics, businesses will not only be able to prevent massive amounts of fraudulent activity, but they will also be able to speed up and automate their procedures as it will layer over what companies are already doing. This means that there will be no additional friction on the user journey, which is essential because OTPs cause unnecessary friction during the user experience. For example, if a user does not have a phone signal or their device with them, it will not work and may result in the user abandoning their online journey.
A technological win-win
By measuring and analysing human gestures or physical identifiers and leveraging them to recognise or verify a user’s identity, behavioral biometrics enable businesses to prove users are who they say they are. The way a person holds, swipes, or types their device can be as unique as their fingerprint or retina, if not more, making it nearly impossible for cybercriminals to replicate.
This makes behavioural biometrics a powerful data source for user authentication and fraud detection. Its popularity is only set to grow in the coming years, especially given the pandemic’s accelerated digital transformation initiatives for many businesses.
Because, as the world becomes more digital, businesses must do everything in their power to make it more difficult for cybercriminals to victimise their customers.
