Email and Password are SO last century!
Co-founder, CEO at tru.ID
Since the Internet began, the email address has been the primary way that businesses identify their users. Email addresses have become essential to our online lives, acting as a digital identity without revealing personal information such as a name or address.
But as the world increasingly goes mobile, email is no longer the right option. Email is typically paired with a password, and the combination delivers poor UX and weak security.
Fortunately, the mobile phone holds the answer (quite literally) – everyone has a unique mobile number, and the SIM card inside the phone is cryptographically secure. With the right approach, this combination can deliver an easy-to-use and highly secure mobile identity solution that is fit for the 21st century.
In this article, we look at the different UX and security challenges that a legacy email + password approach can cause, identify the most common pitfalls to avoid when moving to mobile, and look at the new identity alternatives – which are both far better and easier to implement than you may have thought possible.
Email + password causes UX friction
We’ve all become accustomed to using email + password when registering for a new online account. But on mobile it’s a difficult process: the average email address is 25 characters long, and security recommendations mean users need a long, complex password using numbers and symbols – and a different one for every single service, if they’re being thorough. Although some browsers and password management apps will store these for the user, it’s both a UX pain to set up and a security concern. Consequently, problems abound and users still have to reset passwords dozens of times a year. It all causes delay and user frustration, resulting in failed sign-ups and lost revenue for businesses.
Email enables fake accounts and fraud
Using email as an identifier on mobile is not just a UX challenge, it also opens up opportunities for fraud. It’s easy to sign up for unlimited numbers of free, throwaway email accounts, and these can be abused by bad actors, often using simulators or bots, to register for multiple online accounts. These accounts can then be used for a variety of fraudulent purposes such as to “phish” for personal information, to steal promotional offers aimed at new users, to commit fraud with stolen credit cards, to impersonate genuine users, or to take over existing accounts and steal money without being found.
In addition, fraudsters creating multiple fake accounts can cause operational costs and reputational damage, and adversely affect a company’s ability to measure and manage its genuine user base.
Email + password offers flawed security
The email address has no linkage to the mobile phone, it is simply an identifier. There is no way to validate physical possession of a mobile device, so user authentication is typically performed using a knowledge factor – the password. However, passwords are widely acknowledged as a flawed security solution. Consequently, SMS OTP (One Time Password) is often added as a second (possession) factor. But that is just a sticking plaster on top, creating further UX friction and introducing additional fraud risks.
If not email, then what?
Taken altogether, email + password is the wrong paradigm for user identity on mobile, especially now that better alternatives exist. Email became the default approach to online identity when the world was still desktop-based. But now that we live in a mobile-first world, it makes more sense to leverage the capabilities of the mobile phone to bring identity into the modern era. This is easy to implement, but has to be done the right way, to avoid some big potential pitfalls.
Mobile number alone can cause problems
Most phone-based authentication methods today simply use the mobile number alone, and rely on a PIN code that is sent via SMS, or a voice call to that number. Companies assume this is a possession-factor authentication method, but the problem is that it doesn't reliably prove possession. There are some fundamental flaws -- and bad actors are taking advantage.
SIM swap: Bad actors are increasingly committing SIM swap fraud by persuading the mobile operator to issue them with a replacement SIM card that takes over the same mobile number. They are then able to receive all voice calls and SMS messages (including PIN codes) sent to that number, and then use those codes to take over that user’s accounts.
Mobile phone number recycling: A further drawback is that, because there is only a finite pool of mobile phone numbers available, they routinely get recycled by the mobile operators. If a mobile number alone is used as the identity key, and your previous number is later recycled to someone else, there’s a real chance they could gain access to your WhatsApp account, messages and contacts, as well as other private accounts that rely solely on mobile number.
Mobile number linked to a SIM card – a secure and frictionless solution
The key to authenticating a mobile user quickly, securely and reliably is to use their mobile number, but perform the verification using the SIM card in the mobile phone. A mobile number check that is linked to a physical SIM card is the strongest and lowest-friction solution for user identity on a mobile device, addressing all the issues raised above.
Unrivalled security: A SIM card comes with impregnable cryptography and is the same piece of highly secure, scalable and proven microcomputer technology that you can see in every credit card. Mobile phone numbers are also uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique, not duplicable and cryptographically secure. There is nothing a phone user can do to tamper with that unique pairing.
Prevents SIM swap: Verifying with mobile number + SIM card works against SIM swap fraud by ensuring that the number hasn’t been reassigned by a bad actor.
Avoids fake accounts: Verifying the mobile number + SIM card before an account is opened makes it much harder for bad actors to generate multiple accounts for fraudulent purposes: there is a real cost and process overhead involved in obtaining a new SIM card, unlike purely digital identities (such as email addresses) which can be created by bots.
Seamless UX: For a user, the approach is extra simple – just type your number and it will be verified instantly, in real time, with no further action required – no SMS to wait for, no PIN code to retype.
tru.ID: mobile authentication, reimagined
tru.ID can help you to implement this 21st century approach to user identity. Our range of API-based authentication products enable you to quickly and securely verify the number of an active mobile device. This provides an enhanced, frictionless user experience, reducing fraud and helping you to increase mobile revenues.
Instant PhoneCheck provides instant authentication of the mobile number of the connected mobile device, greatly improving the user experience and reducing drop-off rates.
Strong SubscriberCheck provides real-time verification of the mobile number and SIM card identity to provide a high-security, low-friction mobile authentication solution that also eliminates the risk of SIM Swap fraud.
Or, if you really, really want to stick with SMS OTP, and so need an easy add-on security solution, we offer:
Active SIMCheck, which allows you to check that there has not been a SIM swap before you send the SMS OTP to the user. (Of course, there are still all the other risks related to SMS OTP, but this is definitely a big improvement and a short-term fix while you plan the full solution.)