The Death of Passwords: How Phone Verification is Protecting Modern Applications and Their Users

sri_headshotThe following is a guest contributed post from Srivatsan Srinivasan, Product Leader at Nexmo.

Passwords have long been the method of choice for authenticating users online. But we’re moving toward a world where consumers will no longer need handwritten lists to keep track of all their usernames and passwords from Netflix accounts to online banking accounts. Both the success of mobile-first applications and the occurrence of data breaches are driving businesses to implement stronger authentication while improving user experience. Phone verification has become the leading option for authenticating users on mobile devices.

Why is Phone Verification a better option?

Phone verification involves sending a single-use verification code over SMS or a voice call to a user and confirming that the user enters that code in the application. The code is sent out of band from the IP channel and expires a short time later. With phone verification, the authentication process becomes more secure, globally available, and seamless for users.

People can sign-up for multiple email and social accounts and do so at no cost, making them unreliable forms of identification. Mobile and landline phone numbers, on the other hand, are a stronger form of identity, as they need to be obtained from a carrier and have an associated cost.

Furthermore, phone numbers are almost ubiquitous at this point, with over seven billion mobile subscriptions worldwide. By comparison, even the largest social networks have fewer than two billion users and are inaccessible in some countries. Phone numbers as user identities further enable applications to grow and enable connections among their users.

Phone verification provides a relatively frictionless user experience, compared to memorizing and then on each login attempt, entering on a complex password with numbers and special characters. Applications can even make use of contextual information and risk scoring to trigger a phone verification on critical transactions. Silent push verifications can enable seamless logins on mobile devices once a user’s phone number has been verified.

How to Make Phone Verification Successful

Through phone verification, users are asked to provide a phone number where they receive an SMS or voice message with a code, and are then prompted to enter the code within the application. It’s simple–intuitive for users and quick-to-implement for developers. Here are some key considerations to keep in mind when building a phone verification system:

  • Provide Clear Instructions: Make sure that the user interface is intuitive with clear instructions about what a user should enter and what to expect next. If a user enters an invalid number, indicate that and allow the user to change it. If the person still doesn’t successfully enter the correct code in a short time, resend the code, preferably over a different channel (like voice or chat).
  • Use Standard Algorithms : Ensure that the algorithm used to generate verification codes complies with industry standards such as RFC6238 to ensure security. Also ensure that verification codes expire with a few minutes. Both of these are key components of a secure system.
  • Comply With Global Regulations: SMS messaging regulations differ across countries and even carriers.  Not complying with these regulations will result in message filtering, which will impact the user experience (meaning that they might not get messages).
  • Measure Conversions: Track and measure verification success rates. You may need to customize message templates and languages based on location to achieve optimal success rates.

Applications can easily implement passwordless logins using phone verification APIs and immediately benefit from higher security and an improved user experience. It’s an option that every organization that requires a user profile should closely consider.