SMS authentication—also known as SMS-based two-factor authentication (2FA) and SMS one-time password (OTP)—allows users to verify their identities with a code that is sent to them via text message. A form of two-factor authentication, it often acts as a second verifier for users to gain access to a network, system, or application, and is a good first step toward better security.
However, it should be noted that SMS authentication is widely considered to be a weak form of verification. We’ll dig into the reasons why, but let’s first get an understanding of how SMS authentication works and the pros and cons of using it.
This form of authentication is actually quite simple. After signing in, the user receives a text message with an SMS authentication code. All they need to do is enter that code on the app or website in question to gain access. You’ve probably experienced this yourself when logging in to Amazon, Facebook, Google, Twitter, and other services.
As a possession-based factor, SMS authentication verifies a user’s identity based on something they own (i.e., a mobile phone). This adds an extra layer of security to a login. In theory, bad actors would have to steal a user’s password and their phone in order to gain unauthorized access to an account.
While it’s generally recommended to move away from SMS authentication, there are a few reasons why people and organizations continue to use it:
Despite it being convenient and simple to use, there are some downsides to using SMS authentication—and organizations have to question whether it’s sufficient enough to protect their corporate, employee, and customer data.
Here are a few risks you should keep in mind:
With all of these SMS attacks and security issues in mind, it’s clear that hackers are growing more sophisticated every day; even small amounts of information can be used to hijack mobile phones, spoof user identities, and access accounts. So, to answer the question: no, SMS authentication is not entirely secure. In fact, the National Institute of Standards and Technology (NIST) formally advised against the use of SMS authentication in 2016. While they have since amended their statement, the vulnerability that SMS authentication poses is still significant.
The SMS security risks outlined above have been widely and publicly discussed for many years. And yet SMS for 2FA is still widely used by many organizations. Why?
For starters, SMS authentication is easy to deploy and use. In addition, customers and employees alike have grown accustomed to using it to gain access to their various applications, whether they’re logging onto Slack, transferring funds, or playing Guild Wars 2. End users want quick, seamless authentication experiences and see SMS as a perfect solution, without necessarily considering the security risks.
If organizations want to move away from SMS authentication, they need alternative solutions that are just as easy to use.
SMS OTP solutions are better than having no authentication in place at all. However, there are better options for businesses looking to keep their data and users secure.
FIDO2 is a standard that simplifies and secures user authentication. It uses public key cryptography to protect from phishing attacks and is the only phishing-proof factor available. Plus, it was announced as the new web standard for passwordless logins by the World Wide Web consortium in 2019.
Examples of FIDO2 in use include on-device authenticators like Windows Hello on Windows 10, TouchID on MacBook, and Fingerprint on Android, as well as off-device authenticators like Yubikey and Feitian BioPass. These features not only increase security, but also improve the login experience for users. Compared to answering a security question, for instance, passwordless authentication is a faster, easier way to gain access to accounts and services
Mobile authenticator apps—such as Okta Verify and Google Authenticator—operate similarly to SMS authentication. When a user logs in to a site or app using their username and password, one of two things can happen: the authenticator app will generate an OTP that can be entered into the service in question, or it will send a push notification that asks you to approve or deny the login request.
Compared to SMS, these tools are more secure because they don’t rely on cellular service. In addition, the code generated by these apps expires within a few minutes, eliminating several of the risks we outlined above.
Ditching SMS as an authentication factor can be easier said than done. The key is to get users accustomed to other, more secure alternatives—and to make their authentication experiences as seamless as possible. Most smartphones, for example, can verify biometric factors (e.g., a fingerprint) with minimal friction. In addition, FIDO2 allows users to enroll more than one authentication factor, giving them multiple ways to access the applications and systems they need without a password.
With cyber attacks becoming more frequent and sophisticated, it’s vital for organizations to increase their security defenses. This means moving away from using passwords and deploying solutions that make it as difficult as possible for attackers to steal user credentials or gain unauthorized access to data and resources. And while SMS authentication is a step in the right direction, there are more secure factors that are just as (if not more) intuitive for end users.
For more information about the various authentication factors available, and the pros and cons of each, check out our Factor Assurance datasheet.
If you have any questions on SMS Marketing, Verification SMS. We will give the professional answers to your questions.