ArrayShield CEO talks about risks associated with password based authentication

Infotech Lead India: Pavan Thatha, co-founder and CEO at ArrayShield, says SMS based authentication approach is fundamentally flawed.

Pavan Thatha, co-founder and CEO at ArrayShield

What RBI has to say regarding SMS OTP?

Key feedback received from customers of SMS OTP is that it leads to several issues or inconvenience due to factors like network availability, restriction to a particular phone number, non-availability of the service when customer travels abroad, timing out of online transactions due to slow speed of OTP transmission etc.

SMS based Authentication approach is fundamentally flawed because of the following reasons:

Delay in delivery of SMS

Although most SMS text messages are transmitted in seconds, it’s common to find them delayed when networks become congested. SMS traffic is not sent point to point, it is queued and then sent on to the required network cell where it is again queued and finally sent to the end users phone. This queuing gives rise to delays at peak operator periods. Also it is not infrequent to hear complaints from users of SMS based authentication that they got their SMS delayed by few hours. Add to this complication, there will be a session timeout of few minutes for application to authenticate/transaction to happen.

Considering 4 percent of users trying to authenticate will fail and will need to raise a help desk call to gain emergency access. Thus for a deployment of 10000 users authenticating each day, 400 help desk calls would be raised per day.

What Standard Chartered bank website says regarding SMS OTP?

There may be some service delays or interruptions by your mobile service providers. Delays could arise due to high SMS load e.g. festive seasons, service outage, earthquakes etc. Your mobile phone may be out of network coverage. Please check the signal strength on your phone. You will not be able to receive SMS if you are located in Japan or Korea or Indonesia and your mobile phone is roaming in these countries.

No Coverage Areas

Mobile phone signals are not always available particularly in buildings with wide outer walls, in underground basements or in computer rooms that give off high RF noise. Consider a user trying to authenticate in one of these locations. When they fail to receive their authentication code, they would next need to move to a location that has a signal, receive their authentication code, move back to the original location to enter their OTP (One Time Password) ALL with-in a timeout period of 2 minutes. Users located within these locations would have no alternative than to raise help desk calls to gain emergency access.

Unavailability of Mobile Phone

There might be cases where-in the user has forgot mobile phone somewhere, user has lost his mobile phone, the battery goes down for the mobile phone or the mobile number has changed but not  pdated. In all this cases, the continuity of access to application will get affected adversely. Some studies have shown that over 50 percent of mobile users misplace/forget their mobiles at least once in a month. All these amount to increased help desk and support calls.

Low level of Security

There are also potential security issues with the SMS-OTP. Firstly, all the mobile phone operators between the service provider and user become part of the trust chain and thus need to be trusted. In case of roaming there are multiple operators. Secondly, SMS encryption can be decrypted by an attacker and therefore SMS-OTP cannot be totally.

Downtime with SMS Gateway

Whenever SMS gateway is under maintenance or facing issues, the timeliness of SMS delivery gets affected. Also similar situation can arise when there is Service Outage of Operator Networks.

Unavailability of service for roaming user

When customer travels abroad, based on operator there will be a restriction on availability of service. In those cases, the user will be denied access to the application and has to go for emergency help desk calls.

High Cost for roaming user

Even in case service is available for some countries, the roaming cost per SMS will make the TCO of the system very high. The same has to be factored in while calculating the TCO and ROI of the system.

Dependency on Government Regulations

In emergency and sensitive situations, governments can dictate blockage of bulk SMS there by effecting the service of SMS based authentication methods.

Similar situation has been evidenced in 2010 when government has called for blocking of all bulk SMS during a court hearing on a sensitive subject.

Mobile phone is used to connect to the internet

In cases when a mobile phone creates a data connection it can’t receive SMS messages and user might not be aware of this situation in most cases. Users trying to utilize their mobile phone as a way of connecting to the Internet would not receive their authentication code until they hang-up the data connection.

Conclusion

Organizations looking at implementing Two Factor authentication solution should take due care that the above factors are considered while evaluating SMS based authentication solutions when compared with other forms of Two Factor authentication.

By Pavan Thatha, co-founder and CEO at ArrayShield
[email protected]

ArrayShield Technologies is a provider of innovative Pattern based Two Factor Authentication Solutions.