If you verify mobile numbers at onboarding, using SMS or other legacy verification methods just doesn’t deliver. Up to 30% of users drop off at this stage, since SMS messages take too long – or don’t arrive at all. We explain why this happens, and what you can do about it…
Experts now recommend enabling 2FA (two-factor authentication) for every digital account, and if you provide an app or online service, you already know how essential it is to keep out spam and fraudsters by verifying users.
The majority of services do this through codes sent by SMS or email. SMS OTPs (one-time passwords) are a popular choice because mobile devices are universal. So in theory, this is a fast and automatic way to verify possession.
Yet we’ve all had the experience of waiting five minutes for the SMS that never arrives; there’s a reason every service has to provide the option to send the code again. This adds major friction to the user experience: 20-30% of users drop off during the mobile onboarding process, and this number rises to over 50% when a second attempt is needed.
So why does this happen? Isn't SMS meant to be near real-time messaging? We’ll explain what goes on behind the scenes – and what the results are for UX.
SMS messages are based on protocols that date back to 1985 and were designed to communicate between SMSCs (SMS centres) rather than with humans.
What does this look like in practice? Well, it depends. You might be lucky – if Tom, who uses mobile network A, wants to send a message to Dan on network B, it might go like this:
Tom’s phone → Network A SMSC → Network B SMSC → Dan’s phone
But what if the message wasn’t sent by a person, but via an API, as is almost always the case with 2FA? Then there are more steps:
API server in New York → Network C in Canada that API server has a deal with → Network A in the UK that Network C has a preferential agreement with → Network B SMSC → Dan’s phone.
If one of these carriers is unavailable or very busy, it can get even more complex: the SMS will be sent to an aggregator, which picks up the message and sends it on to the next SMSC.
The greater the number of interconnections, the greater the likelihood that one of the links is broken. You may be wondering, then, why carriers don’t make deliverability a bigger priority. The answer comes down to numbers. Telcos don’t have the capacity to let all their subscribers use the service simultaneously – this would be expensive and usually unnecessary. But when they do go over capacity, this causes delays (and sometimes even network outages) for everyone.
So-called ‘premium’ SMS routes do nothing to avoid this: the protocol is purely automatic, with no particular messages taking priority, so there isn't really any such thing as a premium SMS route. Even though the average consumer receives an SMS within 5-10 seconds, over a long time across a large population, many will receive it after substantial latency – or not at all.
Even a small minority of users experiencing delays or missed messages adds up to a significant abandonment rate, especially at the onboarding stage, when users aren’t yet invested in a service. Some key figures:
Altogether, this results in a major drop in conversion, and it’s not the only problem...
The apps on a mobile phone are all designed to distract and absorb you. Every time a user has to exit the app to receive an SMS, the switch in context breaks the onboarding flow, increasing the likelihood of abandonment. Even the few steps of closing the app, opening the inbox, and reopening the app seem frustrating in comparison to the usual smooth flow of smartphone usage.
Once a user returns to their home screen or SMS inbox, they’re likely to notice unread notifications – especially if they have to wait several minutes for a PIN to arrive. These hold more urgency than a new app the user isn’t yet invested in, and they’re likely to forget about the onboarding process or lose interest in completing it.
In the age of more spam, phishing, and fraud than ever before, users are understandably cautious when it comes to security. A common tactic of malicious actors is to send SMS requests purporting to originate from your business and asking for 2FA codes. Public awareness of the potential danger of SMS security is increasing too.
As a result, users may get alarmed that they’re being scammed when they receive a PIN code, URL, or other onboarding instruction requiring action from them, especially if they weren’t expecting one or have forgotten about it, and may well abandon the signup out of uncertainty.
On top of all this, users become frustrated by the unnecessary friction of memorising PIN codes and passwords, clunky context switches that mean having to open multiple apps, and of course the frustration of waiting for SMS codes.
SMS OTP is just one of several authentication methods – its purpose is to prove possession of a unique mobile phone number. But as well as delay and drop-off problems, this method is vulnerable to SIM swap attacks. Codes sent via email have similar drawbacks, as malicious actors can easily bypass email credentials.
Despite its flaws, SMS authentication remains popular thanks to its relative ease of use and ubiquity across mobile devices, as more people access the web via mobile than ever before.
However, you can improve mobile authentication without losing any of the benefits of SMS. Verifying possession with the SIM card instead provides a smoother UX, stronger security, and no waiting period for users to abandon the process.
tru.ID can help you to implement this 21st century approach to user identity. Our range of API-based products enable you to quickly and easily implement secure, frictionless mobile user authentication, reducing fraud and helping you to increase mobile revenues.