It’s a common scenario.
You log onto a website to perform a financial transaction, enter your card details, and a message flashes up.
“For your security, we need to confirm your identity by sending a verification code to a number ending in *****123.”
This is undeniably inconvenient.
You might not have your mobile phone to hand. The quoted number may be a landline. It might belong to someone else who isn’t around, or can’t be disturbed right now.
Worse, network congestion periodically prevents verification messages arriving within the narrow timeframe (often just five minutes) before the code expires.
In the meantime, your web browser is held in suspended animation. You can’t complete whatever you were doing, yet closing the tab invalidates what’s happened thus far.
The session or transaction might even time out, meaning you’ll have to go through the whole process again – but in a worse mood.
They got your number, they got your name
The growth of two-factor authentication (2FA) for online activities has been driven by incessant hacking and phishing attempts.
Confirming you’re really you with a one-time passcode (OTP) sent to a mobile number is a crude way of reducing fraud, if generally effective.
But as we’ve explained above, it can be annoying.
In America, technology exists where people are verified by matching their cell phone number to their current browsing session.
Similar processes have always been used to confirm data requests are being made by a specific device, with ongoing dialogue between your handset and your mobile network.
In layman’s terms, this dialogue proves the mobile device you’re using is actually yours.
That doesn’t rule out scenarios where a handset has been stolen, but a criminal would still have to get past any biometric security – and also know other account login credentials.
More importantly, it means apps and browser pages identify your handset through its SIM card, confirming the user’s ID and eliminating the need for validation codes.
All you have to do is register your mobile number whenever you create a new online account, or install an app.
Ongoing identification takes place seamlessly behind the scenes as you interact with webpages or app services, as it does already with data transfers and network connections.
To be known in the UK as Number Verify, the big four mobile networks have agreed to launch this new service in the near future.
Can Number Verify be fooled?
The technology is proven in America, and few issues have been reported despite billions of successful monthly transactions.
Transactions are verified whether the device is connected to WiFi or a mobile network.
Dual-SIM phones are protected, providing the user chooses the number linked to a particular SIM card for mobile data browsing or app access.
And Number Verify is also compliant with the rigorous PSD2 SCA requirements, regulating strong customer authentication online.
As such, it might finally spell the end of 2FA in this country.