In a mobile-first world, SMS is proving to be one of the most essential tools for businesses. From its critical role in communicating with customers globally to providing top security, this series produced by Nexmo explores key aspects of SMS that many organizations may be unaware of. See all the posts here.
This sponsored post is produced in association with Nexmo.
The biggest problem with passwords? People forget them. Sometimes over and over again. In many cases, the process for retrieving passwords is a simple, self-service online reset. But the more rigorous an app is about security, the more likely a user is going to have to call IT to reset a password — and that costs companies money.
According to a study by Gartner, up to 30 percent of customer support calls are password-related — whether it’s account lockouts, account reactivation, or forgotten passwords. Fortunately, the secret to securely allowing end users to reset passwords without calling the IT help desk may be as simple as verifying phone numbers.
It works like this: when an end user opens an account on your mobile app or Web service, you simply ask for their mobile number along with the other information you collect. Now when that user initiates a password reset, you can send a one-time passcode to their phone via SMS or voice message — or push notification, if the user has your mobile app. Your customer then enters that PIN online and voila! Now you know that person is who they say they are.
Phone verification is more secure than email because mobile phones are one of the few devices people carry with them at all times and never take their eyes off of. And without having a user’s cell phone in hand, a cybercrook can’t change or reset a password on an account.
Even better, because you can automate sending a passcode to a mobile phone, the process is fast and easy on both sides of the equation — for your IT department and for your customers.
Let’s take a close look at why verifying phone numbers is a preferable solution for password reset than what else is out there.
Help desk calls are costly, and equal a bad UX
When it comes to any IT issue, customer service calls should be a last resort for several reasons. To begin with, they are expensive. According to Fast Pass Corporation, the fully burdened cost of a password reset is $18 per support call, not factoring in loss of productivity. It doesn’t sound like a lot at first, but those costs add up quickly. In contrast, phone verification costs only a few cents.
But the bigger issue is, IT calls are a hassle. Nobody wants to go through the 15-minute rigmarole of reaching a live agent these days. What’s more, the harder an end user has to work to re-access their account, the less likely they are to reactivate or ever use their account again. At some point, it’s just not worth the effort.
Email is highly unsecure
To avoid the help desk call, a lot of companies send a link for a password reset to a user’s email. But that’s like leaving the front door open for criminals. To begin with, people often use the same email address for multiple online accounts. So if a hacker gets a user’s email from one source, they can re-use it to request password resets on bank, social media, and multiple other online accounts. According to a 2014 study done by Ponemon Institute, 43 percent of companies report having experienced a data breach and loss of customer records of some kind.
However, many companies are adopting more secure, intuitive login procedures that don’t require a password. Take Yahoo for example. Upon sign in, an on-demand password is texted directly to a user’s mobile phone. Once a user opts-in, the next time they sign on, Yahoo will send a secure password directly to their mobile phone. This new authentication option aims to ease anxiety around password memorization and improve security for users.
Static KBA questions are too easy to guess
Another favorite for resetting passwords is knowledge-based authentication (KBA). Typically, with static KBA (also called ‘shared secrets’), when a customer sets up an online account, an organization will produce a set of personal questions that the customer provides answers to. The organization stores this information for when the consumer logs back into their account and needs to be authenticated.
The questions are simple, and range from “Where were you born?” to “What was the first company you ever worked for?” With people posting so much personal information on social media these days, finding the answers to someone’s password-reset questions can be relatively easy work for hackers. According to a recent study by Google, static KBA is simply not enough for password protection.
Dynamic KBA is too invasive
Unlike static KBA, dynamic KBA doesn’t rely on fixed questions. Instead, when a user requests a password reset, this technique generates questions on-the-fly based on a person’s credit reports, marketing data, and public records. The questions are intrusive and annoying. And because the information is on public record, criminals can usually find the answers fairly easily.
That leaves phone number verification as the one solution for self-service password reset that makes the most sense. Phone verification strikes the perfect balance between cost, security and end user experience. It’s extremely easy to implement, and it works because nearly everyone has a phone these days.
In this day and age, properly confirming your customers’ identity is vital to keeping their financial and personal information safe. Companies who take security seriously will consider phone number verification as a secure solution for resetting passwords and reducing IT costs.
Sponsored posts are content that has been produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact sales@venturebeat.com.