Paul McGuire, CEO of tru.ID, explains the issues with SMS-based app onboarding, and offers simpler, more secure alternative.

That app download that your marketing team spent so much time, money, and effort delivering is only the beginning of the acquisition challenge. What happens next at onboarding – the first-time user experience between opening an app and registering – is just as important for converting a new user.

To verify new customers, you’re most likely using username and password, social login, or maybe a magic link. If you verify mobile numbers, you’ll be using SMS. But whichever you choose, up to 30 per cent of users drop off at this stage. What if you could save them and increase your ROI?

Let me explain why SMS-based onboarding is fraught with poor UX, deliverability issues and security holes. And I’ll share a new alternative for verifying your users that you can offer to your tech teams instead.

Break in flow = distracted users
Mobile apps are all designed to absorb you. But getting a user through registration in the first place is the initial engagement hurdle. There may be three extra screens you need for SMS passcodes – or five, if you count the resend experience. This is dead weight for your app, and a hassle for your users. Every time a user has to exit the app to confirm an email, for example, the switch in context breaks the onboarding flow, increasing the likelihood of abandonment. So keeping their attention is not only good usability, it’s good business.

Missed messages: how SMS works 
If you think SMS is real-time, consider these findings from Nielsen:

• Anything that takes more than 500 milliseconds is not perceived as ‘real-time’ by users.
• More than 2500 milliseconds makes users actively impatient.
• The likelihood of abandonment increases exponentially beyond the 10 second mark.
• A wait of 30 seconds or more is almost guaranteed to lead to abandonment of the process, unless the app is critical to the user (e.g. their main bank).

It’s often assumed that mobile connectivity is ubiquitous, and connectivity issues don’t happen. But there’s a reason why apps have to provide SMS resend functionality – not all SMSs arrive in real-time, and if a second attempt is needed, the drop offs rise to 50 per cent. 

SMS protocols date back to 1985, and were designed to communicate between SMS Centres (SMSCs) rather than with humans. So next time you think you’re sending an SMS to your mum, you should know you’re actually sending it to an SMSC via your network operator. If a message is sent from an app, it’s likely that it uses several network hops, each of which may fail. Premium SMS routes are also a myth.

SMS security is not what it seems
As consumers, we are habituated to believe that SMS is secure, but this isn’t the case. SMS one-time passwords are a popular choice for two-factor authentication because mobile devices are so universal. The theory feels right – if you send a code to a mobile number, the assumption is that it implies possession of the device on which it’s received.

However, an SMS code only verifies the number can receive text messages, not that the number belongs to a mobile phone, nor that it’s a valid subscriber, nor that its in the possession of the user that you are trying to authenticate. This is how malicious actors operate – they can intercept SMSs to take over accounts.

Now, imagine an onboarding journey in which you can verify the number not only with fewer steps, but with stronger authentication – all without affecting the user experience, and the checks happening automatically in the background.  

Discover a better alternative – SIM-based authentication with tru.ID
It’s time to tell you that there is a new – better – alternative to legacy authentication methods, and that is tru.ID SIM-based mobile account verification. During onboarding, a user simply enters their phone number, and tru.ID verifies it in real-time using the SIM card. There’s no need for unreliable SMS codes, extra steps or context switching between email or authenticator apps. The result via tru.ID is an instant check of the phone number that’s invisible to the user and a far smoother, more impressive UX. 

This is possible because the SIM card is a very special piece of tech kit. It comes with impregnable cryptography and is actually the same proven microcomputer technology that you can see in every credit card. A mobile phone number is also uniquely tied to an individual SIM card. Together, the pairing of the SIM card with the mobile phone number is entirely unique, difficult to tamper with or duplicate, and only the mobile network can verify securely that the pairing is valid. 

tru.ID now makes this verification with global carriers available to app owners so that they can build experiences that are the best of both worlds – simple for the user, and secure at the backend. What’s more, there is no private information exchanged between app and carrier – the checks simply return a verification. 

So having explained how our new technology works, let me return to the original challenge that mobile app owners face – how to optimise app onboarding. What if you could dispense with extra screens, extra hoops and extra steps for your customers? The solution is clear: by removing SMS, doing away with email context switching and providing secure, private and instant phone verification, you can improve those hard-earned conversions. It’s no longer a matter of how, but when.

About tru.ID
tru.ID is the simpler, stronger alternative to SMS passcodes, social logins, usernames, passwords and other legacy authentication methods. By integrating with tru.ID APIs, mobile app developers can verify real phone numbers and subscriber SIM status directly with global carriers, and build innovative user journeys, ensure continuous security and embed a private digital identity by design. Find out more at tru.ID, or follow us on Twitter or LinkedIn.