Survey: SMS Two-Factor Authentication Quickly Gaining Adoption

Password Breaches Increase Mobile Authentication Interest

SMS-based, two-factor authentication combined with one-time passwords is no longer limited to the financial services industry, according to a new study conducted by the Ponemon Institute. Interest is rapidly rising, driven by a string of password data breaches that illustrate why a password alone is becoming ill advised. People use weak passwords and often the same password for multiple services. The Ponemon study, commissioned by Germany-based global mobile and SMS service provider Tyntec, surveyed more than 1,800 IT and IT security professionals worldwide. It found businesses extending the use of two-factor authentication for user registration or activation of online services. However, it must be implemented correctly or businesses risk eroding customer satisfaction and increasing customer support costs, the study found.

Here's a look at the study's key findings.

Ease of Use Cited As Biggest Benefit

Eighty-six percent of survey respondents said SMS-based, two-factor authentication provided increased security and validation of the authenticity of the person logging into an online account or corporate system. The additional mobile authentication step was easy for most employees or customers to use, according to the survey. Issuing a one-time password via a SMS text message works on all mobile phones and survey respondents saw it as more secure than other two-factor authentication methods.

Location, Phone Number Validation

Mobile authentication also provides additional information that could be used to validate identity of a trusted user, according to the study results. Sixty-six percent of respondents say they would be interested in verifying where end users are located and whether their number is valid in real-time, according to the Ponemon report. Ponemon said the additional details could be valuable in assessing the legitimacy of the person logging in, but would require opt-in by the end user.

Validating Each Login, Every Transaction

SMS-based, two-factor authentication is used mainly for new user registration or identity verification, the survey found. Thirty-three percent of businesses said they issue a one-time password through an SMS text message for every login. Another 31 percent said the process is used as an additional verification step during sensitive or high-value transactions.

SMS-based, One-Time Passwords Pose Some Problems

The Ponemon study found that delivering one-time passwords via SMS can result in failure, eroding satisfaction and support cost increases. Delivery failures occurred on average in 13 percent of SMS-based, one-time password implementations, the survey found.

Nearly half (48 percent) could not be sent because the end user supplied an invalid mobile number, but 67 percent of those surveyed indicated fewer customer complaints and cited lower costs if implemented with a mechanism to validate a user's phone number.

Two-Factor Authentication Adoption Rising

Fifty percent of survey respondents said they definitely plan to roll out two-factor authentication in the coming year. Another 40 percent indicated that the additional authentication measure is a possibility. The strongest support is in North America followed by Asia Pacific and Japan.

New-user registration and identity verification continue to be the main reasons frequently cited for using two-factor. Fraud prevention was cited by 30 percent of survey respondents as another reason to add two-factor authentication using one-time passwords for each login.

Two-Factor Authentication Use Varies By Region

North America had the highest use of one-time passwords for each login and transaction, cited by 38 percent of survey respondents. About 51 percent of respondents located in Europe, the Middle East and Africa said one-time passwords are used for user registration or identity verification. The lowest usage was found in Latin America and Mexico, according to the Ponemon study.