Account security

Strong customer authentication: Best practices for using phone numbers to protect your users

  • nabeel_saeed_headshot.jpg
    Nabeel Saeed
  • Feb 21, 2020

86% of customers stop patronizing businesses who’ve had data breaches. Here are the best practices around requesting, using, and evaluating phone numbers for account authentication.

Adjust text size

Watch the on-demand webinar all about protecting your business—and your customers—with industry-leading account security and user authentication.

Data breaches seem to happen every day, and fraud tactics are constantly evolving. Today’s digital criminals have more data and means to commit fraud than ever before—which means that for companies today, it’s important to provide meaningful, seamless experiences online and via mobile, while also protecting users.

Eighty-six percent of customers stop patronizing businesses who’ve had data breaches. Fraud not only puts customer data at risk; it also puts your entire business at risk. For decades, it was standard practice to rely on a series of email exchanges to verify a new user: a customer opens an account, the business sends an email, the customer replies proving they have access to the email address submitted—and that’s it, they’re in. Today, though, email accounts can be created and even automated by software robots. This means bad actors can create fraudulent accounts to:

  • Open accounts in someone else's name as part of identity theft;
  • Register social accounts for spamming and attacking legitimate users;
  • Sign up to abuse free trial services in your application.

A better way of eliminating fraud and keeping users safe is phone number authentication. Here are some critical considerations around requesting, using, and evaluating phone numbers for account authentication.

  • Ensure accuracy

Get the full phone number, including the country code, and make sure the national formatting protocol is correct. Phone numbers reveal plenty of useful information that can be used to verify the authenticity of an account. Identified as either a landline, mobile, or Voice over Internet Protocol (VoIP), phone numbers are also associated with countries of origin and can be tied back to a telecommunications carrier. These three attributes help businesses filter out potentially fraudulent traffic from specific geographies, while also identifying phone numbers associated with real devices owned by real people.

  • Simplify for mobile

On mobile platforms, where the device itself might have a phone number directly associated with it, data collection may be more straightforward. In mobile apps, it’s increasingly common to leverage the phone number as the only required information when installing and signing up. Using a phone number as the primary way to prove account ownership is faster than email and more accurate.

  • Verify validity

Phone authentication isn’t foolproof; just as emails can be fraudulent, so too can phone numbers. The most common method for confirming a working number belongs to the account holder is by sending a one-time code—usually a 4-to-6 digit token—via SMS and asking the recipient to enter that code back into the application. 

Using a phone number, in conjunction with two-factor authentication (2FA) at login, ranks high among the options to increase the protection of user accounts and reduce the cost of fraud to the business.

  • Consider voice alternatives 

Sending this SMS-based code—sometimes called an OTP, or one-time passcode—won’t cover all of your users, as some have voice-only phone numbers like landlines or other restrictions that prevent SMS usage. Be sure to offer the option of receiving a voice call or having the code read aloud over the phone.

Over the past few years, online fraud has exploded from a minor nuisance to an annual US$5.127 trillion hit to businesses and individuals across the world.  From fraudulent bot-generated user accounts. to costly takeovers of high-value customers. to identity hijacking during the account recovery process, cybercriminals continue to exploit every gap in the security of online accounts. 

Watch the on-demand webinar, where we cover:

  • How to verify users and protect your app or service from data loss, fraud, and malicious attacks
  • Considerations to make for a global, scalable authentication and verification solution
  • Key considerations to help answer to build or to buy?
I want to see more about: 
  • Editions
  • Industry
  • Product
  • Region
  • Solution
  • Use case
Communication for good | Spring 2021
  • Communication for good | Spring 2021
  • COVID-19 and the new normal | Winter 2020
  • Digital trust | Summer 2021
  • Pre-SIGNAL special | Fall 2021
  • Retail in 2021 | Summer 2021
Let's go

Nabeel Saeed

Nabeel has worked in multiple application and network security roles over the last 5 years, and is a speaker at the Bay Area Cyber-Security Meetup. His interests include identity and authentication and he is currently involved in helping fintech companies with PSD2 compliance. He holds a Bachelors in Economics from UC San Diego, California.