Key feedback received from customers of SMS OTP is that it leads to several issues or inconvenience due to factors like network availability, restriction to a particular phone number, non-availability of the service when customer travels abroad, timing out of online transactions due to slow speed of OTP transmission etc.

1. Whitepaper Problems with SMS based Authentication
SMS based Authentication approach is fundamentally flawed because
of the following reasons:
Delay in delivery of SMS
Although most SMS text messages are transmitted in seconds, it's common
to find them delayed when networks become congested. SMS traffic is not
sent point to point, it is queued and then sent on to the required network
What RBI has to say cell where it is again queued and finally sent to the end users phone. This
regarding SMS OTP? queuing gives rise to delays at peak operator periods. Also it is not infrequent
to hear complaints from users of SMS based authentication that they got
Key feedback received from
their SMS delayed by few hours. Add to this complication, there will be a
customers of SMS OTP is that
session time-out of few minutes for application to authenticate/transaction
it leads to several issues or
inconvenience due to factors to happen. Considering 4% of users trying to authenticate will fail and will
like network availability, need to raise a help desk call to gain emergency access. Thus for a
restriction to a particular deployment of 10000 users authenticating each day, 400 help desk calls
phone number, non- would be raised per day!
availability of the service when
customer travels abroad, No Coverage Areas
timing out of online
Mobile phone signals are not always available particularly in buildings with
transactions due to slow
wide outer walls, in underground basements or in computer rooms that give
speed of OTP transmission etc.
off high RF noise. Consider a user trying to authenticate in one of these
locations. When they fail to receive their authentication code, they would
next need to move to a location that has a signal, receive their
authentication code, move back to the original location to enter their OTP
(One Time Password) ALL with-in a timeout period of 2 minutes. Users
located within these locations would have no alternative than to raise help
desk calls to gain emergency access.
Unavailability of Mobile Phone
There might be cases where-in the user has forgot mobile phone
somewhere, user has lost his mobile phone, the battery goes down for the
mobile phone or the mobile number has changed but not updated. In all this
cases, the continuity of access to application will get affected adversely.
Some studies have shown that over 50% of mobile users misplace/forget
their mobiles at least once in a month. All these amount to increased help
desk and support calls.

2. Problems with SMS based Authentication - Whitepaper
Low level of Security
There are also potential security issues with the SMS-OTP. Firstly, all the
mobile phone operators between the service provider and user become part
of the trust chain and thus need to be trusted. In case of roaming there are
multiple operators. Secondly, SMS encryption can be decrypted by an
attacker and therefore SMS-OTP cannot be totally.
What Standard Chartered
bank website says Downtime with SMS Gateway
regarding SMS OTP? Whenever SMS gateway is under maintenance or facing issues, the
timeliness of SMS delivery gets affected. Also similar situation can arise when
- There may be some service
there is Service Outage of Operator Networks.
delays or interruptions by your
mobile service providers.
Unavailability of service for roaming user
Delays could arise due to high
SMS load e.g. festive seasons, When customer travels abroad, based on operator there will be a restriction
service outage, earthquakes on availability of service. In those cases, the user will be denied access to the
etc application and has to go for emergency help desk calls.
- Your mobile phone may be High Cost for roaming user
out of network coverage.
Please check the signal Even in case service is available for some countries, the roaming cost per
strength on your phone. SMS will make the TCO of the system very high. The same has to be factored
in while calculating the TCO and ROI of the system.
- You will not be able to
receive SMS if you are located Dependency on Government Regulations
in Japan or Korea or Indonesia
In emergency and sensitive situations, governments can dictate blockage of
and your mobile phone is
bulk SMS there by effecting the service of SMS based authentication
roaming in these countries.
methods. Similar situation has been evidenced in 2010 when government
has called for blocking of all bulk SMS during a court hearing on a sensitive
subject.
Mobile phone is used to connect to the internet
In cases when a mobile phone creates a data connection it can't receive SMS
messages and user might not be aware of this situation in most cases. Users
trying to utilize their mobile phone as a way of connecting to the Internet
would not receive their authentication code until they hang-up the data
connection.
Page 2

3. Problems with SMS based Authentication - Whitepaper
Conclusion
Organizations looking at implementing Two Factor authentication solution
should take due care that the above factors are considered while evaluating
SMS based authentication solutions when compared with other forms of
Two Factor authentication.
ABOUT ARRAYSHIELD
Array Shield Technologies is the maker of software security products in the
area of Multi-Factor Authentication. The company’s mission is to provide
highly secure, cost effective and easy to use software security solutions
globally.
For more information, visit us at www.arrayshield.com
Page 3