This week, US startup Descope is announcing what it claims is a new way to authenticate to websites via WhatsApp that doesn’t require the end user to do much at all.
For the last decade, the online world has tried to solve the problem of password insecurity by migrating to multi-factor authentication (MFA), only to discover the technology has limits.
The first is that most consumers don’t like it and try to avoid using it if they can. They have a point. Using MFA on one website is mildly inconvenient but using it on every site quickly turns into a chore.
Judging from the modest uptake, businesses aren’t that keen either. Using MFA puts a barrier between the consumer and a transaction being completed, not to mention the cost of sending SMS texts that incur network charges.
For all its security benefits, implementing MFA through one time passwords (OTPs) is complex for businesses, requiring additional software and integration.
Descope’s answer to that, nOTP (“no-tee-pee”), uses WhatsApp as the authentication channel, a platform chosen by the company because of its popularity among consumers and its use of end-to-end encryption (E2EE).
The user clicks a “log in with WhatsApp” button on a website or scans a QR code, which results in a code appearing in WhatsApp. The user hits “send” on this message as if it’s from them and they are automatically logged in to the site.
This works as a basic form of MFA because the user is authenticated through their WhatsApp identity, including its connection to their registered phone number.
The technology behind nOTP reflects the company’s underlying platform Descope Flows, developed as a way for companies to add any type of authentication to their website using a visual process requiring no coding.
The company is pitching nOTP as an option for certain use cases, principally companies that want to move away from SMS authentication or for use on devices such as smart TVs where logins are awkward without a keyboard.
Being able to add any type of authentication to a website is intriguing. A customer can add nOTP but allow a fallback via another authentication method, including an old-world password.
Getting authentication up and running can be expensive and time consuming. The promise Descope is selling is that a developer can design and integrate their login process in a fraction of that time.
In essence, Descope Flows serves as an abstraction platform developers can use to create a complete login system, whether using nOTP or any other type of authentication.
“They design the user journey, what the login screen will look like, using drag-and-drop components. With less than ten lines of code they can put this into their application,” Rishi Bhargava, co-founder of Descope, told CSO Online.
The visual abstraction of the Descope Flows application is really a front end on top of the company’s API. Developers could access that API using their own code but doing it visually using Flows removes complexity and allows them to focus on the way they want to present authentication.
Your phone number is your identity
The inspiration for nOTP was to invent a new authentication method based on the universality of phones but without the downsides of SMS or the complexity of alternatives such as manually entering codes.
“OTP costs are huge. It’s a big chunk of money companies are paying to telecom companies,” said Bhargava.
SMS also gives rise to phishing attacks where criminals try to trick users into revealing their OTP.
“What OTP is doing at heart is verifying your phone number. We sent something to your smartphone and we know you own that smartphone. What we’re saying is that you can verify by sending a WhatsApp message rather than receiving an OTP.”
The phone number is now most people’s identity. Although not as secure as treating the phone itself as the identity — the approach taken by Passkey authentication which stores a private key on a smartphone — it’s an approach that addresses barriers that have held back MFA.
According to Bhargava, there is no code to generate or enter (authentication apps), and there is no need to rely on a mobile network to deliver it (SMS). Push authentication can do this but requires companies to rely on large service providers.
“Technologies such as Passkeys and nOTP add a second factor without adding friction. If you look at the mobile first generation, they do not check their email. They check their WhatsApp.”
The nOTP interface will be available on Descope Flows from this week.