Data breaches. Account takeovers. SIM swap fraud. With fraudsters growing more sophisticated each day, it’s no secret that two-factor authentication (2FA) or multi-factor authentication (MFA) is now a bare minimum requirement that companies must invest in to secure their customers’ accounts. However, the most common form of MFA/2FA, called SMS OTP (or SMS one-time password), has several known vulnerabilities. If you’re already familiar with SMS OTP and its pitfalls, feel free to skip ahead to the section entitled What is Instant Link™?
What’s Wrong with SMS OTP?
The challenges associated with SMS OTP are well-documented and basically fall into two buckets:
- Fraud: SMS OTPs can be easily intercepted by bad actors and therefore cannot be relied upon for their intended purpose of keeping fraudsters out of online accounts. For example, let’s say a fraudster already has a password to one of your online accounts and is initiating an online transaction on that account that requires an SMS OTP to be sent. By intercepting that SMS OTP, they can easily get the numerical password that was meant to be sent to you, and key it in to gain access to your account. So the SMS OTP that was intended to keep you safe actually went to the fraudster, allowing them to access your account.
- The Customer Experience: SMS OTPs cause friction in the customer experience. If you’ve ever tried to log into an account or reset your password using an SMS OTP, you know that the experience of fumbling between your computer and your phone or multiple apps on your phone and trying to memorize a numerical password so you can type it in is not exactly seamless. SMS OTPs can also be unreliable with many consumers reporting that they initiated an SMS OTP authentication but never actually received an SMS code.
So it’s clear that there are several reasons why companies are already starting to move away from SMS OTP, but what are the alternatives? While we offer several next-generation SMS OTP alternative solutions at Prove, one of our most popular is Instant Link because it blends some of the familiarity of a possession-based check like SMS OTP with added fortifications against account takeover and a better customer experience.
What is Instant Link?
Instant Link is a second-factor authentication (a.k.a, a “proof of possession check”) service that allows companies to embed a secure clickable link in an SMS text. Essentially, Instant Link looks similar to an SMS OTP at first glance and works in a similar way, but instead of a numerical passcode that can be intercepted, a secure link is sent via SMS that can be clicked by your customer to authenticate them and perform a secure “cryptographic handshake” confirming that it’s really your customer on the other end of a transaction. When a user clicks an Instant Link, the NIST standard of two-factor authentication is met. Optionally, Instant Link can fortify the SMS OTP standard by performing a mobile carrier authentication on top of the clicking of the link. The added mobile carrier authentication, in addition to IP address confirmation, adds a NIST approved multi-factor authentication.
Some of the main benefits of Instant Link that Prove customers have found valuable for their businesses include:
- Instant Link is a more fortified form of SMS OTP that mitigates many of the vulnerabilities of SMS OTP interception. While an SMS OTP can be intercepted by fraudsters as described above, with an Instant Link, there is no code to intercept and in most cases, the authentication is only successful when clicked by the intended recipient.
- Instant Link is API-based and is easy to implement (for most standard configurations).
- Instant Link offers a much easier experience for customers. All they need to do is click as opposed to SMS OTP where a passcode must be entered.
- Many companies also like Instant Link’s ability to include additional context for the customer with a branded webpage that explains the purpose of the link.
Do you have questions about Instant Link and how it can help you meet your fraud prevention and customer experience goals? Get in touch with us to have all of your questions answered .
Keep reading
Ascertaining a user’s age used to involve simple self-declaration or rudimentary checks, but technologies like facial recognition and rigorous identity verification offer a more accurate form of determination.
Even though we’re all acclimated to using them, passwords simply do not provide an adequate level of security.
Industry leaders gathered at Prove's Improve Connect summit to discuss balancing frictionless digital experiences with the threat of AI-powered fraud. Experts from companies like Coinbase, Bluevine, and Google shared insights on navigating the challenges and opportunities of emerging technologies.