Credits: Unsplash

March 3, 2021

Failure to deliver: Your mobile onboarding is costing you users!

Parth Awasthi
Head of Product

If you verify mobile numbers at onboarding, using SMS or other legacy verification methods just doesn’t deliver. Up to 30% of users drop off at this stage, since SMS messages take too long – or don’t arrive at all. We explain why this happens, and what you can do about it…

Experts now recommend enabling 2FA (two-factor authentication) for every digital account, and if you provide an app or online service, you already know how essential it is to keep out spam and fraudsters by verifying users.
The majority of services do this through codes sent by SMS or email. SMS OTPs (one-time passwords) are a popular choice because mobile devices are universal. So in theory, this is a fast and automatic way to verify possession.

Yet we’ve all had the experience of waiting five minutes for the SMS that never arrives; there’s a reason every service has to provide the option to send the code again. This adds major friction to the user experience: 20-30% of users drop off during the mobile onboarding process, and this number rises to over 50% when a second attempt is needed.

So why does this happen? Isn't SMS meant to be near real-time messaging? We’ll explain what goes on behind the scenes – and what the results are for UX.

The SMS latency nightmare

Credits: Unsplash

SMS messages are based on protocols that date back to 1985 and were designed to communicate between SMSCs (SMS centres) rather than with humans.

What does this look like in practice? Well, it depends. You might be lucky – if Tom, who uses mobile network A, wants to send a message to Dan on network B, it might go like this:

Tom’s phone → Network A SMSC → Network B SMSC → Dan’s phone

But what if the message wasn’t sent by a person, but via an API, as is almost always the case with 2FA? Then there are more steps:

API server in New York → Network C in Canada that API server has a deal with → Network A in the UK that Network C has a preferential agreement with → Network B SMSC → Dan’s phone.

If one of these carriers is unavailable or very busy, it can get even more complex: the SMS will be sent to an aggregator, which picks up the message and sends it on to the next SMSC.

The greater the number of interconnections, the greater the likelihood that one of the links is broken. You may be wondering, then, why carriers don’t make deliverability a bigger priority. The answer comes down to numbers. Telcos don’t have the capacity to let all their subscribers use the service simultaneously – this would be expensive and usually unnecessary. But when they do go over capacity, this causes delays (and sometimes even network outages) for everyone.

So-called ‘premium’ SMS routes do nothing to avoid this: the protocol is purely automatic, with no particular messages taking priority, so there isn't really any such thing as a premium SMS route. Even though the average consumer receives an SMS within 5-10 seconds, over a long time across a large population, many will receive it after substantial latency – or not at all.

Even a small minority of users experiencing delays or missed messages adds up to a significant abandonment rate, especially at the onboarding stage, when users aren’t yet invested in a service. Some key figures:

  • Anything that takes more than 500 milliseconds is not perceived as ‘real-time’ by users.
  • More than 2500 milliseconds makes users actively impatient.
  • The likelihood of abandonment increases exponentially beyond the 10 second mark.
  • A wait of 30 seconds or more is almost guaranteed to lead to abandonment of the process.

Altogether, this results in a major drop in conversion, and it’s not the only problem...

Break in flow = distracted users

The apps on a mobile phone are all designed to distract and absorb you. Every time a user has to exit the app to receive an SMS, the switch in context breaks the onboarding flow, increasing the likelihood of abandonment. Even the few steps of closing the app, opening the inbox, and reopening the app seem frustrating in comparison to the usual smooth flow of smartphone usage.

Once a user returns to their home screen or SMS inbox, they’re likely to notice unread notifications – especially if they have to wait several minutes for a PIN to arrive. These hold more urgency than a new app the user isn’t yet invested in, and they’re likely to forget about the onboarding process or lose interest in completing it.

Security concerns

In the age of more spam, phishing, and fraud than ever before, users are understandably cautious when it comes to security. A common tactic of malicious actors is to send SMS requests purporting to originate from your business and asking for 2FA codes. Public awareness of the potential danger of SMS security is increasing too.

As a result, users may get alarmed that they’re being scammed when they receive a PIN code, URL, or other onboarding instruction requiring action from them, especially if they weren’t expecting one or have forgotten about it, and may well abandon the signup out of uncertainty.

Credits: Unsplash

Poor usability

On top of all this, users become frustrated by the unnecessary friction of memorising PIN codes and passwords, clunky context switches that mean having to open multiple apps, and of course the frustration of waiting for SMS codes.

What’s the alternative?

SMS OTP is just one of several authentication methods – its purpose is to prove possession of a unique mobile phone number. But as well as delay and drop-off problems, this method is vulnerable to SIM swap attacks. Codes sent via email have similar drawbacks, as malicious actors can easily bypass email credentials.

Despite its flaws, SMS authentication remains popular thanks to its relative ease of use and ubiquity across mobile devices, as more people access the web via mobile than ever before.

However, you can improve mobile authentication without losing any of the benefits of SMS. Verifying possession with the SIM card instead provides a smoother UX, stronger security, and no waiting period for users to abandon the process.

tru.ID: mobile authentication, reimagined

tru.ID can help you to implement this 21st century approach to user identity. Our range of API-based products enable you to quickly and easily implement secure, frictionless mobile user authentication, reducing fraud and helping you to increase mobile revenues.

Instant PhoneCheck provides instant authentication of the mobile number of the connected mobile device, greatly improving the user experience and reducing drop-off rates.

Strong SubscriberCheck provides real-time verification of the mobile number and SIM card identity, providing a high-security, low-friction mobile authentication solution that also eliminates the risk of SIM Swap fraud. Or, if you really, really want to stick with SMS OTP, and so need an easy add-on security solution, we offer:

Active SIMCheck, which allows you to check that there has not been a SIM swap before you send the SMS OTP to the user. (Of course, there are still all the other risks related to SMS OTP, but this is a big improvement and a short-term fix while you plan the full solution.)

Try us, follow us, join us

  • To see our products in action, schedule a demo now or sign up to start testing and integrating our APIs
  • Follow us on LinkedIn and Twitter
  • Want to join the team? We’d love to hear from you.