Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication

Independently conducted by Ponemon Institute LLC Sponsored by tyntec Publication Date: March 2014

Ponemon Institute© Research Report

Ponemon Institute© Research Report Page 1

Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication

Ponemon Institute, March 2014 Part 1. Introduction We are pleased to present the results of Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication sponsored by tyntec, a mobile interaction specialist. The purpose of this study is to provide insights into mobile authentication in four global regions: North America (NA), Europe, Middle East and Africa (EMEA), Asia-Pacific plus Japan (APJ) and Latin America plus Mexico (LATAM). Mobile authentication components such as One-Time Passwords (OTPs) or Mobile Transaction Authentication Numbers (mTANs) in transaction processes are considered effective in preventing fraud and proving identity. Fifty percent of respondents say their organizations plan to adopt two-factor authentication in 2014 and another 40 percent see it as a possibility. We surveyed 1,861 IT and IT security practitioners in these four regions. Most of the respondents work in corporate IT (41 percent) or data center operations (20 percent). Sixty-four percent of respondents have familiarity with SMS-based two-factor or two-step authentication. We define SMS-based two-factor authentication as procedures to enhance security in transactions by providing dynamic passwords such as OTPs through a token device or "virtually" via SMS. OTPs are dynamic passwords mainly used in financial services, but increasingly used in enterprises, Internet and mobile companies. They are session-based and time-restricted passwords that make unauthorized access to restricted resources more difficult than with static passwords. By using OTP via SMS to authorize transactions in environments such as online banking or user registration, companies ensure a two-factor authentication and avoid malicious attacks from phishing emails and destructive software such as pharming and Trojans. Following are the most important takeaways from this research. § Most of the organizations represented in this research use SMS-based two-factor or

two-step authentication. Of those using this technology, 43 percent say their organizations use OTPs for user registration or identity verification. This is followed by the use of OTPs for each login (33 percent) or transaction (31 percent).

§ On occasion, SMS-based One-Time Passwords (OTPs) are not delivered correctly. The majority of respondents are aware that sometimes their companies cannot deliver OTPs correctly. Respondents aware of delivery failures say the rate for not being delivered is an average of 13 percent. Of those that fail to be delivered, an average of 48 percent cannot be sent because invalid mobile numbers were provided by end-users.

§ For security purposes, location and validation of the number in real-time is considered

valuable. Sixty-six percent of respondents say they would be interested in verifying where end users are located and whether their number is valid in real-time. They believe this would strengthen their security measures assuming opt-in by end-user.

§ Ease of use is the major benefit of SMS-based two-factor authentication. Eighty-six

percent of respondents see major benefits from the deployment of this type of authentication. The top benefits are ease of use for end users (71 percent of respondents), it works on all mobile phones (61 percent) and more secure than other two-factor authentication methods.

§ Next steps for mobile authentication. In 2014, most of the respondents say they are

considering planning to extend the use of SMS-based two-factor authentication for user registration or identity verification (47 percent) or activation of online services (48 percent).

Ponemon Institute© Research Report Page 2

Part 2. Key Findings In this section, we present the combined results for North America, EMEA, APJ and LATAM. The completed audited global findings are presented in the appendix of this report. The use of SMS-based two-factor or two-step in organizations. As shown in Figure 1, 47 percent of respondents say their organizations do not use SMS-based two-factor or two-step authentication. Of those using this technology, 43 percent say their organizations use OTPs for user registration or identity verification. This is followed by the use of OTPs for each login (33 percent) or transactions (31 percent). Figure 1. Purpose for using SMS-based two-factor or two-step authentication More than one response permitted

On occasion, SMS-based OTPs are not delivered correctly. The majority of respondents are aware that sometimes their companies cannot deliver OTPs correctly. Thirty-three percent say they have an idea but do not know why and 18 percent say they are aware and receive an explanatory error notification, as revealed in Figure 2. Twenty-nine percent say they are not aware of any failures and only 20 percent have not had any issues with OTP delivery. Figure 2. Is your company aware that SMS-based OTPs sometimes do not get delivered correctly?

31%

33%

43%

47%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

OTPs for transactions

OTPs for each login

OTPs for user registration or identity verification

We do not use SMS-based 2 factor or 2-step authentication

18%

20%

29%

33%

0% 5% 10% 15% 20% 25% 30% 35%

Yes, we do receive explanatory error notifications

We never had an issue with OTP delivery

Not aware of incorrect delivery

We have an idea, but no indicator as to why

Ponemon Institute© Research Report Page 3

According to Figure 3, respondents aware of delivery failures say the rate for not being delivered is an average of 13 percent. Of those that fail to be delivered, an average of 48 percent are stopped because invalid mobile numbers were provided by end-users. Figure 3. The OTP delivery failure rate Extrapolated value 13%

For security purposes, location and validation of the number in real-time is considered valuable. As shown in Figure 4, 66 percent of respondents say they would be interested in verifying where end users are located and whether their number is valid in real-time. They believe this would strengthen their security measures assuming opt-in by end-user. Only 4 percent verify the recipient before sending. Figure 4. Is your company interested in the location and validation of the number in real time?

4%

13%

24%

31%

18%

9%

0%

5%

10%

15%

20%

25%

30%

35%

Zero < 5% 5 to 10% 11 to 20% > 20% Do not know

66%

16% 13%

4%

0%

10%

20%

30%

40%

50%

60%

70%

Yes No Undecided Already verified before sending

Ponemon Institute© Research Report Page 4

Ease of use is the major benefit of SMS-based two-factor authentication. Eighty-six percent of respondents see major benefits from the deployment of this type of authentication. As indicated in Figure 5, the top benefits are ease of use for end users (71 percent of respondents), works on all mobile phones (61 percent) and more secure than other two-factor authentication methods. Figure 5. The major benefits of SMS-based two-factor authentication More than one response permitted

The customer experience improves with SMS-based two-factor authentication and verification of the receiver number. This type of mobile authentication results in a happier customer, according to respondents. As shown in Figure 6, 67 percent say the customer experience improves when the SMS-based two-factor authentication is combined with real-time verification of the receiver number. Another 67 percent of respondents say there are fewer customer complaints. As a result, 60 percent say customer support costs are reduced. Only 13 percent of respondents say they do not see any major benefits from this combination. Figure 6. Major benefits of SMS-based two-factor authentication and real-time verification of the receiver number More than one response permitted

14%

41%

42%

55%

61%

71%

0% 10% 20% 30% 40% 50% 60% 70% 80%

I do not see any major benefits

Ease of use for service provider

Good value for money

More secure than other 2-factor authentication methods

Works on all mobile phones

Ease of use for end user

13%

36%

37%

56%

60%

67%

67%

0% 10% 20% 30% 40% 50% 60% 70% 80%

No major benefits

Increase conversion rates by improving the user registration process

Reduced costs if both services are bought in a bundle

Collect information on number validity to clean up distribution lists

Reduced costs for customer support

Less customer complaints to customer support

Improved customer experience

Ponemon Institute© Research Report Page 5

Technical issues have discouraged the use of solutions that validate mobile numbers. Seventy-two percent of respondents have never used a solution that would validate mobile numbers before sending OTPs, as revealed in Figure 7. Twenty-two percent have used a solution. The main reasons for removing the solution was due to technical problems (45 percent) or quality issues (35 percent). Figure 7. Does your company have a solution in place that helps validate mobile numbers before sending OTPs?

What are the next steps for mobile authentication? In 2014, most of the respondents say they plan to extend their organizations’ use of SMS-based two-factor authentication for user registration or identity verification (47 percent) or activation of online services (48 percent), as shown in Figure 8. Thirty percent are planning to adopt it for fraud prevention and will use OTPs for each login. Figure 8. Will your organization extend SMS-based two-factor authentication during the next year? More than one response permitted

22%

72%

6%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Yes No Do not know

11%

18%

30%

34%

36%

47%

48%

0% 10% 20% 30% 40% 50% 60%

No, I plan to keep the usage to the same extent

Yes, for transactions

Yes, for fraud prevention: OTPs for each login

No

Don't know

Yes, for user registration or identity verification

Yes, for the activation of online services

Ponemon Institute© Research Report Page 6

Next steps for two-factor authentication in 2014. As shown in Figure 9, 50 percent of organizations that do not use two-factor authentication will definitely roll it out in the coming year, 40 percent are considering it a possibility. Figure 9. Does your company have plans to roll out two-factor authentication in 2014?

50%

40%

9%

0%

10%

20%

30%

40%

50%

60%

Yes We consider it as a possibility No, single step authentication is sufficient

Ponemon Institute© Research Report Page 7

Part 3. Regional findings In this section, we provide the most interesting regional differences in respondents’ perceptions and use of two-factor mobile authentication. The use of two-factor mobile authentication. As shown in Figure 10, 51 percent of EMEA respondents say the use of OTPs is for user registration or identity verification. The lowest usage is in LATAM. North America has the highest use of OTP for each login and transactions. Figure 10. Reasons for using SMS-based two-factor or two-step authentication More than one response permitted

45%

33%

38%

43%

43%

29%

34%

51%

49%

32%

33%

40%

50%

31%

25%

38%

0% 10% 20% 30% 40% 50% 60%

We do not use SMS-based 2 factor or 2-step authentication

OTPs for transactions

OTPs for each login

OTPs for user registration or identity verification

LATAM APJ EMEA NA

Ponemon Institute© Research Report Page 8

All regions are interested in the location and validation of a number in real-time. Figure 11 reveals that in each region the majority of respondents are looking at this ability in order to strengthen security. Figure 11. Are you interested in the location and validation of the number in real-time?

68%

15% 11%

6%

70%

16% 9%

5%

65%

20% 12%

3%

59%

15% 23%

3%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Yes No Undecided Already verified before sending

NA EMEA APJ LATAM

Ponemon Institute© Research Report Page 9

Perceived benefits of SMS-based two-factor authentication are consistent across all regions. The top three benefits are considered to be ease of use, it works on all mobile phones and more secure than other 2-factor authentication methods, according to Figure 12. Figure 12. The major benefits of SMS-based two-factor authentication More than one response permitted

53%

59%

74%

57%

63%

70%

52%

60%

69%

58%

65%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

More secure than other 2-factor authentication methods

Works on all mobile phones

Ease of use for end user

LATAM APJ EMEA NA

Ponemon Institute© Research Report Page 10

Perceived benefits of using real-time verification of the receiver number with SMS-based two-factor authentication are also consistent across regions. The top four benefits, as shown in Figure 13 are: improved customer experience, reduced costs for customer support, fewer customer complaints and the ability to collect information on number validity to clean up distribution lists. Figure 13. Major benefits of SMS-based two-factor authentication in combination with real-time verification of the receiver number validity More than one response permitted

Next steps for two-factor authentication in 2014. As shown in Figure 14, organizations in all regions are definitely rolling out two-factor authentication in the coming year or considering it as a possibility. The strongest support is in North America followed by APJ. Figure 14. Does your company have plans to roll out two-factor authentication in 2014?

56%

70%

69%

72%

65%

72%

74%

70%

47%

44%

63%

67%

56%

50%

61%

58%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Collect information on number validity to clean up distribution lists

Reduced costs for customer support

Less customer complaints to customer support

Improved customer experience

LATAM APJ EMEA NA

55%

36%

9%

49%

41%

10%

51%

39%

10%

44% 48%

8%

0%

10%

20%

30%

40%

50%

60%

Yes We consider it as a possibility No, single step authentication is sufficient

NA EMEA APJ LATAM

Ponemon Institute© Research Report Page 11

Part 4. Methods Four omnibus sampling frames totaling 56,199 IT and IT security practitioners were used to field survey questions presented in this report. As shown in Table 1, respondents from 29 countries participated in this study.1 On an aggregated basis, 2,122 respondents completed the survey. Screening and failed reliability checks required us to remove 261 surveys, thus resulting in a final sample of 1,861 and an overall response rate of 3.3 percent.

Table 1. Survey response

Regional clusters Number of countries Sampling frames Final sample Response rate

North America 2 16,865 571 3.4%

EMEA 12 14,563 433 3.0%

APJ 9 12,920 469 3.6%

LATAM 6 11,851 388 3.3%

Global 29 56,199 1,861 3.3% Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 55 percent of respondents are at or above the supervisory levels. Pie Chart 1. What organizational level best describes your current position? Consolidated results for 29 countries

1Please note that omnibus regional clusters are typically too small to generate country-specific findings. However, 10 countries had sample sizes at our above 50 individuals.

2% 2%

14%

18%

19%

38%

4% 3% 1%

Senior executive

Vice president

Director

Manager

Supervisor

Technician

Staff/associate

Contractor

Other

Ponemon Institute© Research Report Page 12

Pie Chart 2 reports the respondent’s location within the organization. Forty-one percent of respondents report working within corporate IT and 20 percent are located in data center operations. Pie Chart 2. What best describes where you are located within your organization? Consolidated results for 29 countries

Pie Chart 3 reports the industry segments of respondents’ organizations. This chart identifies financial services (16 percent) as the largest segment, followed by public sector (9 percent) and services (9 percent). Pie Chart 3. Industry distribution of respondents’ organizations Consolidated results for 29 countries

41%

20%

15%

13%

4% 3% 2% 3%

Corporate IT

Data center operations

Security/IT security

Line of business

Risk management

Quality assurance

Legal & compliance

Other

16%

9%

9%

8%

8% 7% 6%

6%

6%

5%

4%

4%

3% 2%

2% 2% 3% Financial services Public sector Services Industrial Retail Health & pharmaceuticals Consumer products Technology & Software Manufacturing Hospitality Energy & utilities Entertainment & media Communications Education & research Agriculture & food service Transportation Other

Ponemon Institute© Research Report Page 13

The total years of relevant work experience is reported in Pie Chart 4. Sixty-four percent of respondents reported having more than 10 years of relevant work experience. Pie Chart 4. What range best describes your total years of relevant work experience? Consolidated results for 29 countries

As shown in Pie Chart 5, 60 percent of respondents are from organizations with a global headcount of 1,000 or more employees. Pie chart 5. Worldwide headcount of the organization Consolidated results for 29 countries

13%

23%

29%

25%

10%

< 5 years

5 to 10 years

11 to 15 years

15 to 20 years

> 20 years

13%

13%

15%

21%

18%

10%

7% 4%

< 250

250 to 500

501 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 50,000

50,001 to 75,000

> 75,000

Ponemon Institute© Research Report Page 14

Part 5. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals located in four global regions, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate response.

Ponemon Institute© Research Report Page 15

Appendix: Detailed Survey Results The following tables provide the percentage frequency of responses to all survey questions on a consolidated (global) basis across four regional clusters. All survey responses were captured in January 2014. Sample response Global Total sampling frame 56,199 Total survey returns 2,122 Rejected and screened surveys 261 Final sample 1,861 Response rate 3.3% Q1. Do you believe that the traditional username and password approach is still a fully secure authentication method? Global Yes 35% No 65% Total 100% Q2. What best describes your familiarity with SMS-based 2-factor or 2-step authentication? Global Very familiar 21% Familiar 43% Not familiar or no knowledge (stop, go to demographics part) 36% Total 100% Q3. For what purpose does your company use SMS-based 2-factor or 2-step authentication? Please check all that apply. Global One-Time Passwords (OTPs) for user registration or identity verification 43% One-Time Passwords (OTPs) for each login 33% One-Time Passwords (OTPs) for transactions 31% We do not use SMS-based 2 factor or 2-step authentication (go to Q11) 47% Other 2% Total 156% Q4. Is your company aware that SMS-based One-Time Passwords (OTPs) sometimes do not get delivered correctly? Global No 29% We have an idea, but no specific indicator as to why 33% Yes, we do receive explanatory error notifications 18% We never had an issue with OTP delivery (skip questions 5a and 5b) 20% Total 100% Q5a. In your experience, what is the amount of One-Time Passwords (OTPs) that fail to be delivered? Global Zero (skip to Q6) 4% < 5% 13% 5 to 10% 24% 11 to 20% 31% More than 20% 18% I do not know 9% Total 100% Extrapolated value 13%

Ponemon Institute© Research Report Page 16

Q5b. Of those that fail to be delivered, what is the amount of One-Time Passwords (OTPs) that fail because invalid mobile numbers have been provided by end-users? Global Zero 0% < 10% 5% 10 to 25% 15% 26 to 50% 30% 51 to 75% 28% 76 to 100% 13% I do not know 9% Total 100% Extrapolated value 48% Q6. Would you be interested in verifying where end users are located and whether their number is valid in real-time in order to strengthen your security measures (assuming opt-in by end-user)? Global Yes 66% No 16% Undecided 13% We already verify recipient data before sending. 4% Total 100% Q7. In your opinion, what are the major benefits of SMS-based 2-factor authentication? Please check all that apply. Global Ease of use for end user 71% Ease of use for service provider 41% Good value for money 42% More secure than other 2-factor authentication methods 55% Works on all mobile phones 61% Other 1% I do not see any major benefits 14% Total 285% Q8. In your opinion, what are major benefits of SMS-based 2-factor authentication in combination with real-time verification of the receiver number validity? Please check all that apply. Global Increase conversion rates by improving the user registration process 36% Collect information on number validity to clean up distribution lists 56% Improved customer experience 67% Less customer complaints to customer support 67% Reduced costs for customer support 60% Reduced costs if both services are bought in a bundle (combined message notification and validation 37% Other 2% I do not see any major benefits 13% Total 338% Q9a. Do you, or did you ever, have a solution in place that helps you to validate mobile numbers before sending One-Time Passwords (OTPs)? Global Yes 22% No 72% I do not know. 6% Total 100%

Ponemon Institute© Research Report Page 17

Q9b. If you removed such a solution, what were the reasons for doing so? Global Quality issues 35% Technical issues 45% Costs 19% Other 1% Total 100% Q10. Do you plan to extend the usage of SMS-based 2-factor authentication during the next year? Please select all that apply. Global Yes, for user registration or identity verification 47% Yes, for the activation of online services 48% Yes, for fraud prevention: One-Time Passwords (OTPs) for each login 30% Yes, for transactions 18% No, I plan to keep the usage to the same extent 11% No 34% I don't know 36% Total 223% Q11. Does your company plan on rolling out two-factor authentication in 2014? Global Yes 50% We consider it as a possibility 40% No, single step authentication is sufficient 9% Total 100% Respondent and Organizational Characteristics D1. What organizational level best describes your current position? Global Senior executive 2% Vice president 2% Director 14% Manager 18% Supervisor 19% Technician 38% Staff/associate 4% Contractor 3% Other 1% Total 100% D2. What best describes where you are located within your organization. Please choose only one. Global Corporate IT 41% Data center operations 20% Business development 0% Finance & accounting 1% Legal & compliance 2% Line of business 13% Risk management 4% Security/IT security 15% Procurement 1% Research & development 0% Human resources 0% Marketing 1% Quality assurance 3% Other 0% Total 100%

Ponemon Institute© Research Report Page 18

D3. What best describes your organization’s primary industry focus? Please choose only one. Global Agriculture & food service 2% Communications 3% Consumer products 6% Defense & aerospace 1% Education & research 2% Energy & utilities 4% Entertainment & media 4% Financial services 16% Health & pharmaceuticals 7% Hospitality 5% Industrial 8% Logistics 1% Manufacturing 6% Public sector 9% Retail 8% Services 9% Technology & Software 6% Transportation 2% Other 1% Total 100% D4. What range best describes your total years of relevant work experience? Global Less than 5 years 13% 5 to 10 years 23% 11 to 15 years 29% 15 to 20 years 25% More than 20 years 10% Total 100% D5. What is the worldwide headcount of your organization? Global Less than 250 13% 250 to 500 13% 501 to 1,000 15% 1,001 to 5,000 21% 5,001 to 25,000 18% 25,001 to 50,000 10% 50,001 to 75,000 7% More than 75,000 4% Total 100%

Ponemon Institute© Research Report Page 19

D6. Where are you located (country list). Global Argentina 53 Australia 49 Brazil 158 Canada 169 Chile 21 China (PRC) 67 Colombia 26 Costa Rica 44 France 45 Germany 65 Hong Kong 29 India 121 Italy 40 Japan 87 Mexico 86 Netherlands 41 New Zealand 9 Russian Federation 52 Saudi Arabia 24 Scandinavia (Sweden, Norway, Denmark, Finland) 23 Singapore 26 South Africa 19 South Korea 56 Spain 36 Switzerland 12 Taiwan 25 United Arab Emirates 23 United Kingdom 53 United States 402 Total 1861

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. tyntec is a mobile interaction specialist, enabling businesses to integrate mobile telecom services for a wide range of uses – from enterprise mission critical applications to internet services. The company reduces the complexity involved in accessing the closed and complex telecoms world by providing a high quality, easy to integrate and global offering using universal services such as SMS, voice and numbers. Founded in 2002, and with more than 150 staff in six offices around the globe, tyntec works with 500+ businesses including mobile service providers, enterprises and internet companies.