Industry Dialog on SMS OTP Picks Up
In last month’s blog, we touched on the latest draft of the Digital Authentication Guideline (DAG) (open for public preview) from the United States National Institute of Standards and Technology(NIST), discouraging companies from using SMS-based authentication as a form of out-of-band (OOB) authentication. We shared insight from Al Pascual, senior vice president, research director and head of fraud & security at Javelin via his blog No, SMS OTP Isn't Dead.
In that piece, Pascual points out three core reasons why SMS OTP isn’t going away:
- On its own, SMS OTP still has value for low risk transactions;
- SMS OTP can be bolstered to mitigate shortcomings; and
- This method is so broadly integrated across the industry (not quite like passwords, but you don’t sunset something like this overnight).
Building on this perspective, and in addition to the recent blog from NIST which also further clarifies the proposed deprecation of SMS, Early Warning was recently interviewed by American Banker reporter Bryan Yurcan for our perspective on this topic. In this article, Don’t Ditch SMS, But Change the Way You Use It, Yurcan addresses some of the concerns we are also hearing from banks.
As banks seek to understand the impact of NIST’s proposed guidelines, they should consider several industry best practices:
- Employ a layered approach to authentication that efficiently and effectively utilizes the most appropriate technologies based on the risk a transaction presents, weighed against the costs and the customer friction tradeoffs;
- For concerns around the vulnerability of OTP via SMS over a voiceover IP (VoIP), consider incorporating additional delivery of OTP via voice recording for audit trail or voice biometrics as an authenticator;
- Leverage biometric technologies like voice or fingerprint (depending on channel and device) that can help mitigate risk;
- Establish a model for secure communication only with authorized devices;
- Employ telecom data to gain visibility into mobile identity, line type, porting activity, status and changes to the mobile account;
- Leverage SMS forwarding detection technologies; and
- Establish patterns of activity for devices and consumers, which can identify changes in known data over time.
For more information on steps you can take to optimize the practice of authentication at your institution, download our Authentify® Platform solution brief.
Did you hear?
Learn more about how Early Warning is unifying and simplifying authentication.
"Digital Identity TrackerTM" PYMTNS.com July 2016.