Many banks, utility companies and government agencies have been leveraging two-factor authentication (2FA) for several years. This process requires consumers to provide not only their usernames and passwords to access services, but also an additional form of verification such as a biometric identifier or a code that can be emailed to them or sent via text message. The U.S. Social Security Administration, for example, requires recipients using its website to provide unique eight-digit codes sent via text to their smartphones in addition to their usernames and passwords when they sign up or log in.
It appears that these stepped-up verification approaches are warranted, too, as tales of security breaches that have ensnared unsuspecting internet users are rampant. Recent research suggests that more than two-thirds of consumers use the same passwords for all websites, which can be especially problematic when fraudsters deploy software that enables them to crack about 90 percent of passwords in fewer than six hours. Another recent report underscored these issues’ pervasiveness, finding that 81 percent of data breaches three years ago were perpetrated using stolen or weak passwords and that this share had fallen only 1 percentage point by 2019.
A silver lining exists, however. A study found that businesses and other organizations could prevent roughly 80 percent of data breaches by leveraging 2FA. Numerous options are available to organizations determining the verification methods to utilize for 2FA, but phone-based verification has caught on for its ease of use and ubiquity. The process can be as simple as prompting a user to supply and verify a phone number during onboarding, which enables organizations to either send text-based codes for additional authentication or ask consumers to input the phone numbers associated with their accounts when they attempt to log in or check out. This method is not without frictions, however, which are giving some businesses — especially retailers — pause.
The following Deep Dive examines businesses’, FIs’ and other organizations’ use of phone-based verification and text messaging to help customers secure their accounts and ease the checkout process. It also outlines some of the frictions entities face when doing so.
Leveraging phone-based verification
Phone- and text-based verification and authentication measures for consumers have been commonplace for several years, but the COVID-19 pandemic’s dramatic acceleration of digital adoption is putting renewed focus on the technology. Recent research found that since the pandemic’s onset, 84 million Americans have looked for services online that they had previously sought out in person, and 75 percent say they expect to maintain some of these new habits once the health crisis ends. A key facet of this shift has been an increased reliance on mobile phones. Reports show that the number of consumers who have used their smartphones to open accounts has increased 43 percent since March. Authentication measures that meet these customers where they already are — on mobile channels — could therefore be key to signing them up frictionlessly, keeping them engaged and safeguarding their checkout experiences.
Some experts have noted that text message-based measures are not as robust or fraud-proof as other potential 2FA factors, such as biometrics, but there is reason to believe that SMS verification offers enough protection for the average consumer. Many fraudsters’ schemes rely on targeting customers whose information is relatively easy to obtain, and forcing bad actors to confront even minor obstacles in their efforts to snatch personal data can prompt them to abandon their tactics.
There are other reasons to speed up ID verification by using 2FA methods, including text- or phone-based verification, that minimize friction. Roughly half of consumers have reported abandoning online account sign-ups in the past year due to the process being perceived as too cumbersome or untrustworthy. That number appears to be rising, too, as just 37 percent of consumers said the same last year. The other factor to consider is that nearly two-thirds of consumers told researchers they are not convinced companies are protecting their personal data, leading an increasing number to opt for 2FA when such options are offered.
The pitfalls of text-based verification
Social media, financial and email platforms have been relatively quick to adopt 2FA measures that leverage phone-based verification, but the retail sector has been slow to embrace the technology. These measures add security to the sign-up and checkout processes, but they do represent another barrier to purchasing that leaves retailers worried about their conversion rates.
Consumers have also expressed reservations about giving their smartphone numbers to businesses. One survey found that 58 percent say they already receive too many notifications from companies. The results suggested that consumers trust big-name companies such as Amazon or Uber to text them about deals or financial details, but they are likely to reject notifications from lesser-known brands, especially those perceived to be overly focused on marketing. Many consumers do appreciate receiving more information in key areas, however, with 71 percent noting that they liked receiving messages from retailers about a pending purchase and 73 percent saying they welcomed messages about potential fraud from their banks.
Consumers are flocking to digital channels in droves during the pandemic, and many businesses and organizations are eager to enhance their security measures by leveraging 2FA that incorporates phone-based verification. Evidence suggests that these moves can help retailers and others set consumers’ minds at ease during onboarding and purchasing, but outreach could be necessary to allay fears.