Whitepaper                  Problems with SMS based Authentication                                   SMS based Authenticat...
Problems with SMS based Authentication - Whitepaper                                  Low level of Security                ...
Problems with SMS based Authentication - WhitepaperConclusionOrganizations looking at implementing Two Factor authenticati...
Upcoming SlideShare
Loading in …5

Problems with SMS based Authentication


Published on

Key feedback received from customers of SMS OTP is that it leads to several issues or inconvenience due to factors like network availability, restriction to a particular phone number, non-availability of the service when customer travels abroad, timing out of online transactions due to slow speed of OTP transmission etc.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Problems with SMS based Authentication

  1. 1. Whitepaper Problems with SMS based Authentication SMS based Authentication approach is fundamentally flawed because of the following reasons: Delay in delivery of SMS Although most SMS text messages are transmitted in seconds, its common to find them delayed when networks become congested. SMS traffic is not sent point to point, it is queued and then sent on to the required networkWhat RBI has to say cell where it is again queued and finally sent to the end users phone. Thisregarding SMS OTP? queuing gives rise to delays at peak operator periods. Also it is not infrequent to hear complaints from users of SMS based authentication that they gotKey feedback received from their SMS delayed by few hours. Add to this complication, there will be acustomers of SMS OTP is that session time-out of few minutes for application to authenticate/transactionit leads to several issues orinconvenience due to factors to happen. Considering 4% of users trying to authenticate will fail and willlike network availability, need to raise a help desk call to gain emergency access. Thus for arestriction to a particular deployment of 10000 users authenticating each day, 400 help desk callsphone number, non- would be raised per day!availability of the service whencustomer travels abroad, No Coverage Areastiming out of online Mobile phone signals are not always available particularly in buildings withtransactions due to slow wide outer walls, in underground basements or in computer rooms that givespeed of OTP transmission etc. off high RF noise. Consider a user trying to authenticate in one of these locations. When they fail to receive their authentication code, they would next need to move to a location that has a signal, receive their authentication code, move back to the original location to enter their OTP (One Time Password) ALL with-in a timeout period of 2 minutes. Users located within these locations would have no alternative than to raise help desk calls to gain emergency access. Unavailability of Mobile Phone There might be cases where-in the user has forgot mobile phone somewhere, user has lost his mobile phone, the battery goes down for the mobile phone or the mobile number has changed but not updated. In all this cases, the continuity of access to application will get affected adversely. Some studies have shown that over 50% of mobile users misplace/forget their mobiles at least once in a month. All these amount to increased help desk and support calls.
  2. 2. Problems with SMS based Authentication - Whitepaper Low level of Security There are also potential security issues with the SMS-OTP. Firstly, all the mobile phone operators between the service provider and user become part of the trust chain and thus need to be trusted. In case of roaming there are multiple operators. Secondly, SMS encryption can be decrypted by an attacker and therefore SMS-OTP cannot be totally.What Standard Charteredbank website says Downtime with SMS Gatewayregarding SMS OTP? Whenever SMS gateway is under maintenance or facing issues, the timeliness of SMS delivery gets affected. Also similar situation can arise when- There may be some service there is Service Outage of Operator Networks.delays or interruptions by yourmobile service providers. Unavailability of service for roaming userDelays could arise due to highSMS load e.g. festive seasons, When customer travels abroad, based on operator there will be a restrictionservice outage, earthquakes on availability of service. In those cases, the user will be denied access to theetc application and has to go for emergency help desk calls.- Your mobile phone may be High Cost for roaming userout of network coverage.Please check the signal Even in case service is available for some countries, the roaming cost perstrength on your phone. SMS will make the TCO of the system very high. The same has to be factored in while calculating the TCO and ROI of the system.- You will not be able toreceive SMS if you are located Dependency on Government Regulationsin Japan or Korea or Indonesia In emergency and sensitive situations, governments can dictate blockage ofand your mobile phone is bulk SMS there by effecting the service of SMS based authenticationroaming in these countries. methods. Similar situation has been evidenced in 2010 when government has called for blocking of all bulk SMS during a court hearing on a sensitive subject. Mobile phone is used to connect to the internet In cases when a mobile phone creates a data connection it cant receive SMS messages and user might not be aware of this situation in most cases. Users trying to utilize their mobile phone as a way of connecting to the Internet would not receive their authentication code until they hang-up the data connection. Page 2
  3. 3. Problems with SMS based Authentication - WhitepaperConclusionOrganizations looking at implementing Two Factor authentication solutionshould take due care that the above factors are considered while evaluatingSMS based authentication solutions when compared with other forms ofTwo Factor authentication. ABOUT ARRAYSHIELDArray Shield Technologies is the maker of software security products in thearea of Multi-Factor Authentication. The company’s mission is to providehighly secure, cost effective and easy to use software security solutionsglobally.For more information, visit us at www.arrayshield.com Page 3