If you can read this, chances are you have had to sign up or log in to a website or app at some point – heck, chances are you have had to log in to a website or app today. After signing up, the ease with which we log into apps and websites often makes us oblivious of certain concerns that exist within the seemingly mundane process of logging in to carry out a certain task. Ocassionally, we get a notification informing us of a security breach on our account and while going through the identification authentication, we are forced to realize that these concerns are legitimate. Early users of Facebook can clearly remember when the social network used to employ the use of security questions to carry out authentication for users who had problems logging due to a security breach of some sort. This method quickly became obsolete because most of the answers to the questions people set as security questions – like your/your dad’s birthday – could be gotten from other websites/databases; making the breach and hijack of accounts a lot easier.
Simply put, two-factor authentication (2FA) is the combination of two factors to gain access – what you know [your password], and what you have [your phone, email]. This system involves you having to input your regular login details and in addition, details of data sent to the second factor in the mix. What are the chances that someone else with malicious intent will be in possession of your password and your phone/token at the same time without your consent? The low odds of this happening is the reason why a lot of website and apps employ the use of two factor authentication for sign up and log in processes.
Besides phones and emails, other forms of 2FA include connected tokens, disconnected tokens, soft tokens, and USB keys. However, for the purpose of onboarding new users or signing in to a website or app, these other forms aren’t as popular as phone and emails and businesses have had to choose the most appropriate and efficient method for carrying out authentication. Several things are considered before picking a preferred method and here, we draw a comparison between the two most popular methods.
This is usually a concern for both intending users and the businesses too. Email accounts are free to create and sending emails is free of charge (except, of course, the data used). Owning a SIM that can receive SMS often requires registration that comes at a cost and requires a full data capture. Also, website/app owners get charged for sending verification codes as SMS over the cellular network. This often is a reason why people opt to carry out authentication codes via emails.
There are cases where verification codes fail to deliver to mobile phones and this is usually no fault of the either the sending party or the receiving party. Delivery hugely depends on the TelCo/Service Provider as most of them have a blanket Do-Not-Disturb Policy that monitors and blocks messages from being delivered. However, emails will always get delivered. Sometimes, they may be sent to junk mail but you’re sure to receive your verification code and this just might be the only clear-cut advantage email has over phone verification.
A more customer-centric approach would take into consideration which would be more convenient for customers. Ease of access is a very important factor in technology today. The reason for this is simple, people are more ‘on-the-go” now than they were last year, five years ago, ten years ago, and so on. Owing to this, Phone verification may be favoured as most phones are capable of receiving texts. There is also the convenience of interoperability. A message from a website or app could be delivered as SMS, MMS, iMessage, data message, Skype, or Google Voice. This tears down the barrier of format discrimination and ensure that you get the codes regardless of the device used at that moment.
Actually, both are equally fast considering internet penetration and push notifications; but the requirements for attaining speed differ. While SMS verification requires cellular connection, Emails require internet connection which may require an initial cellular connection in the absence of Wi-Fi, LAN or any other type of connection to the internet.
At first glance, email seems to be a wiser option for marketing purposes; but is it really? Marketing campaigns that have always worked have always been the ones with a more personal approach and that is something emails don’t intrinsically offer. Most email users have been conditioned to see their mailboxes as tools for impersonal business communication and are more likely to not read a marketing mail. SMS however offers that personal touch and with the advent of SMS 2.0, it is sure to become a lot more effective as SMS 2.0 adds features like group chats and sending multimedia messages like every other SMS (Yes, you can send links to products and websites too!)
This is the most important factor to consider for both users and parties who own platforms. There is a myriad of things that could go wrong. Phones could have the SIM cards cloned, hence giving a third parties with malicious intent access to the verification codes. You will have to trust your service provider enough to be to be willing to give out your numbers because there have been instances of unauthorized data sharing for gains on the side of the service providers. This, though may seem insignificant, is a breach of trust and can expose you to future harm as the service providers who give out these numbers have no control over what they are being used for by the people who purchase them. In Nigeria, instances of SIM card cloning are quite sparse and the process of getting a new SIM card is a bit rigorous, making it a preferred choice for website/app owners. The underlying reason is people will be disincentivized to try to create multiple spam accounts if the process of getting a new SIM is not easy.
Emails are susceptible to quite a number of security challenges, especially in the Nigerian clime. Emails can easily get compromised through phishing, malware/ransomware, direct attacks on the email service provider, or hackers just bulldozing their way through your password if it is weak enough. The loss incurred from compromised emails is usually huge as not only the verification codes are stolen, but other important files and correspondences fall into the wrong hands. A compromised email can easily snowball into a cluster-bumble of ugly incidences as we have seen in recent times [See: Hillary Clinton]. It is easier to have improved security on phone lines than on email addresses as back doors into personal spaces on the internet are constantly found.
As stated earlier, businesses always have a number of factors to consider before picking a preferred style/s; and with the on-the-go lifestyle, that requires minimal resources to handle communication securely, which would you go for?