Reinforcing Authentication Best Practices

Posted by Rich Rezek, vice president market development, Authentication Solutions on Aug 21, 2016

Industry Dialog on SMS OTP Picks Up

Person Holding Cell PhoneIn last month’s blog, we touched on the latest draft of the Digital Authentication Guideline (DAG) (open for public preview) from the United States National Institute of Standards and Technology(NIST), discouraging companies from using SMS-based authentication as a form of out-of-band (OOB) authentication. We shared insight from Al Pascual, senior vice president, research director and head of fraud & security at Javelin via his blog No, SMS OTP Isn't Dead.

In that piece, Pascual points out three core reasons why SMS OTP isn’t going away:

  1. On its own, SMS OTP still has value for low risk transactions;
  2. SMS OTP can be bolstered to mitigate shortcomings; and
  3. This method is so broadly integrated across the industry (not quite like passwords, but you don’t sunset something like this overnight). 

Building on this perspective, and in addition to the recent blog from NIST which also further clarifies the proposed deprecation of SMS, Early Warning was recently interviewed by  American Banker reporter Bryan Yurcan for our perspective on this topic. In this article, Don’t Ditch SMS, But Change the Way You Use It, Yurcan addresses some of the concerns we are also hearing from banks.

As banks seek to understand the impact of NIST’s proposed guidelines, they should consider several industry best practices:

  • Employ a layered approach to authentication that efficiently and effectively utilizes the most appropriate technologies based on the risk a transaction presents, weighed against the costs and the customer friction tradeoffs;
  • For concerns around the vulnerability of OTP via SMS over a voiceover IP (VoIP), consider incorporating additional delivery of OTP via voice recording for audit trail or voice biometrics as an authenticator;
  • Leverage biometric  technologies like voice or fingerprint (depending on channel and device) that can help mitigate risk;
  • Establish a model for secure communication only with authorized devices;
  • Employ telecom data to gain visibility into mobile identity, line type, porting activity, status and changes to the mobile account;
  • Leverage SMS forwarding detection technologies; and
  • Establish patterns of activity for devices and consumers, which can identify changes in known data over time.

 For more information on steps you can take to optimize the practice of authentication at your institution, download our Authentify® Platform solution brief.

Did you hear? - a leading U.S. payments publication - just ranked Early Warning #1 for Digital Identity Assessment Solutions in their July Digital Identity Tracker™!

Digital Identity Tracker

Download the Digital Identity Tracker Here.

Follow us on LinkedIn and subscribe to our blog so you can continue to stay up-to-date on the latest authentication news and developments.

Learn more about how Early Warning is unifying and simplifying authentication.

Download Solution Brief

Watch Video


 "Digital Identity TrackerTM" July 2016.

Topics: Authentication, Identity

Sign-Up for Notifications

Enter your email address below to be added to the distribution. We will never share your email address. See our
Privacy Policy for more information.