Secure Mobile Authentication 101
Everything you need to know about securely authenticating customer identities via mobile device
Statista estimates that there are 6.6 billion smartphone users worldwide as of 2022. According to REVIEWS.org, on average, Americans check their mobile phones 344 times a day, or once every four minutes. Statista further reports that mobile devices account for approximately half the internet traffic worldwide.
When so many people are spending so much time on mobile phones and tablets, it only makes sense that they’d want to use these devices to establish accounts, make purchases, book appointments, check balances, and conduct other business with a wide range of organizations.
In fact, Shopify expects that 42.9% of all ecommerce purchases will be made by a mobile device by 2024. Bookedin found that of the 1.5 million online appointments its users made in 2019, 82% were booked using a mobile device. In January 2021, Bank of America reported that it had “approximately 31 million mobile users.”
Mobile authentication is the process of verifying a customer’s identity on their mobile device before granting them access to their accounts and data. The ability to provide secure mobile access to customer accounts is critical for any organization that conducts business or offers services online. Enabling customers to access their accounts through whichever device they are using in the moment has become an important part of the overall customer experience that no company can afford to ignore.
Types of Mobile Authentication
Whether customers attempt to log in via an app or a mobile browser, there are several different types of factors that can be used to confirm that the person trying to access the account is the person who owns it. The customer establishes their factor(s) when they create their account and then uses it for access when they attempt to login.
Mobile authentication factors fall into three categories:
- Something the user knows, such as a password or PIN (knowledge-based)
- Something the user has, such as a four-number code sent to their phone (possession-based)
- Something the user is, such as a scan of their fingerprint or face (biometric-based)
Pattern and Digit-Based Authentication
Pattern and digit-based authentication describes two options that can be used to unlock devices and accounts. Pattern-based authentication asks the user to use their finger to draw a pattern on their screen. For digit-based authentication, the user is asked to enter a four- or six-digit PIN.
These factors offer the advantage of speed and ease since either is easier to enter than a password. In practice, though, users typically choose simple patterns, such as an S or an L, or easy pins, such as 1234 or their birthday, which are easily guessed by hackers.
One of the most common factors used for mobile authentication is the password, typically used in conjunction with the customer’s email address or username to confirm their identity.
Passwords provide varying degrees of ease of use and security. When users can establish their own passwords without any limitations, they tend to choose things that are easy to remember. Customer-created passwords are usually simple, with the minimum number of characters required, and contain personal information such as significant dates. Many times, the same passwords are used by a customer for multiple accounts.
Businesses can enhance security by increasing the requirements for establishing a valid password. In addition to raising the minimum number of necessary characters, they can mandate that the password contain capital letters, numbers, and special characters. They can also block users from including their birthday, address, or other profile information in their password.
But these security measures make passwords both harder to remember and more difficult to successfully enter using a mobile device.
One-Time Password (OTP) Authentication
A one-time password is a code sent to the customer’s mobile device via SMS or email when they try to log into their account. The code is automatically generated and only valid for a limited period of time, usually for only a few minutes. Depending on how the business has established its security, the OTP can be used in conjunction with or in lieu of a traditional password.
An OTP increases security by moving authentication from a password the user knows, and which can be more easily stolen, to something the user has – their mobile device. Also called soft token authentication, use of an OTP further enhances security by being dynamic, automatically generated, and only valid for a short time.
Social-based login enables customers to gain access to their account using the credentials they’ve already established with a social networking site such as Google, Facebook, Twitter, or LinkedIn.
Because it functions as a single sign-on across many accounts, social-based login simplifies access for customers, as they don’t need to remember many separate sets of credentials.
It also simplifies things for the business, which no longer needs to securely store passwords or handle password recovery for customers. However, it makes the business reliant on the security of the social network, and vulnerable if the third-party network is hacked.
Mobile Biometric Authentication
Mobile biometric authentication enables customers to use a unique physical feature to access their accounts and data. Commonly used biometric factors include fingerprints, facial scans, and voice recognition.
Biometrics is convenient for customers since they make login fast and easy, and there’s nothing to remember. Regular users of mobile devices are already very familiar with features like FaceID to unlock their phone or tablet, so it feels natural to use physical factors to access accounts.
For businesses, biometrics offers a high level of security since these factors are nearly impossible to steal or duplicate. This makes them ideal for protecting sensitive data for industries such as banking, healthcare, and government.
Best Practices for Implementing Mobile Authentication
Implementing mobile authentication requires that organizations take into consideration the level of security they want to achieve, customer usability, and any potential impact on business.
Authentication that trades off security for ease of use can leave a business vulnerable to hacking and fraud and the hard hit on brand reputation that accompanies breaches. Authentication that prioritizes security over usability can result in less customers using their account, reduced revenues, and, ultimately, customers moving to a competitor.
Some best practices can help businesses satisfy both security requirements and customers:
Focus on User Experience (UX)
Customers should be able to open and access their accounts with minimum of friction. Factors that increase friction can be different on mobile devices vs. on computers. For example, a password that can be easily typed on a laptop keyboard may become frustrating on a mobile phone keypad. And an OTP that requires the computer user to access their mobile phone or go check their email, could be easily pulled from an SMS on a mobile device.
User experience begins with the process to open an account or register on a site. The longer the registration form, the more frustrating the experience is; the form should only request information that’s truly needed.
Another way to simplify UX is by allowing users to remain logged into a mobile app after they have authenticated their identity.
Leverage Two-Factor Authentication (2FA)
As the name implies, mobile two-factor authentication increases security by requiring a combination of two authentication factors before access is granted. A common use case: once a customer has entered a password, they are asked to also enter an OTP that has been sent to them via SMS.
Two-factor authentication decreases the likelihood that the attempted entry is being made by a fraudster. By combining something the customer knows, like a password that’s vulnerable to being stolen, with something they have – a physical phone or tablet that a fraudster is unlikely to steal or possess – 2FA provides an added level of account security.
Two-factor authentication can also be leveraged by use case. For example, instead of being required every time the customer opens the app with the phone they always use, 2FA can be used to authenticate their identity when the customer accesses their account from a new or unrecognized device.
Use Passwordless Authentication
It’s also possible to take passwords and their vulnerabilities out of the authentication equation completely. Passwordless authentication, also called passkey authentication, relies on PINs, patterns, and biometrics, with biometrics providing the highest level of security.
Passwordless authentication both improves security and offers easy usability for customers. It’s also on the rise. The UK National Cyber Security Center (NCSC) recently issued new guidelines to help businesses create a passwordless customer authentication experience. In its report “Take 3 Steps Toward Passwordless Authentication,” Gartner Research estimates that “by 2025, 50% of the workforce and 20% of customer authentications will be passwordless, up from 10% today.”
Passwordless authentication is, by far, the most secure and user-friendly method of authentication available to businesses.
Learn how Daon can help you choose and implement the right mobile authentication solutions for your business and your customers.