2-factor authentication via messaging apps vs SMS authentication

2FA Chatbots vs. SMS Authentication

6 min readOct 22, 2019

In this article, we’ll explain what is a bot for two-factor authentication and how 2FA chatbots (two-factor authentication with messaging service chatbots) work. We’ll look at the pros and cons of this one-time password delivery method and figure out which is best: 2FA bots or SMS authentication.

How did the Protectimus Bot token come to be?

One of our clients (a payment system with 2,000,000 active users) was spending about $30,000 per month on SMS delivery. They were using SMS to send out one-time passwords and system notifications (withdrawals and deposit notifications, informational messages, etc.).

This client gave us the task of developing a one-time password delivery method that would be just as convenient for end-users as SMS authentication, but more secure and less expensive.

The solution we came up with while looking for SMS two-factor authentication alternatives is using 2FA chatbots on messaging services. Additionally, the Protectimus 2FA chatbots can be used to deliver both one-time passwords and notifications of any kind. Now, our client is saving about $20,000 per month that they used to spend on SMS messages.

2FA chatbots in instant messaging apps solve the majority of problems associated with SMS authentication: first, it’s more secure; second, it’s FREE! What’s more, chatbots are virtually just as easy to use as SMS.

How does two-factor authentication with chatbots work?

Currently, the ProtectimusBot chatbot is available on three messaging services:

Practically every smartphone user already has at least one of these free messaging apps installed.

When a user enables two-factor authentication via Messenger, Telegram or Viber they:

Choose one of the messaging services listed and find the ProtectimusBot on it.
Request their unique ID using the /getid command.
Input the ID they receive into the system they wish to protect.
Then, the Protectimus two-factor authentication service will create a token and send it to the user via the 2FA chatbot.
The user confirms that they received the one-time password by inputting it into the appropriate field. This also completes the token issuing process.

After that, all one-time passwords and messages from the service will be sent through the 2FA chatbot. Two-factor authentication using chatbots in messaging apps for Android and iOS is free for both our clients and their end-users.

You’ll find an example of how the Protectimus Bot token is issued in the video below.

Let’s look into the technical side. The chatbot-based software OTP token supports all two-factor authentication algorithms: HOTP, TOTP, and OCRA. Because of this, the ProtectimusBot 2FA chatbots also support CWYS (Confirm What You See) data signing functionality. Data signing involves generating a one-time password based on data from the operation the user is performing; for example, transaction data can be used: the amount, currency, recipient, time, etc. This feature is indispensable for payment systems and banks. It’s impossible to use the one-time password, generated on the basis of such unique data, to sign an illicit transaction, even if an attacker intercepts the OTP. Currently, only four Protectimus tokens support CWYS functionality: the 2FA app Protectimus Smart, as well as Protectimus Mail, Protectimus SMS, and the 2FA chatbots.

2FA chatbots vs. SMS authentication

2FA chatbots: the pros and cons

Pros

Chatbots for two-factor authentication are available at no cost to both clients and their end-users.
The Protectimus Bot 2FA chatbot allows you to deliver both one-time passwords as well as other messages and notifications.
Messages on these messaging services are transmitted in an encrypted form, Telegram is almost the best messaging app when it comes to security. If someone intercepts a one-time password, they won’t be able to decrypt it.
Passwords are used to protect access to the messaging services over which OTPs are delivered. Additionally, access to messaging services can also be protected using two-factor authentication.
If someone attempts to log in to your account, you will immediately receive a notification.
Messages aren’t delivered over cellular networks. That means that GSM network vulnerabilities can’t be used to intercept one-time passwords.
We also have yet to hear of any virus that can extract one-time passwords from messaging apps. On the other hand, viruses that extract OTPs from SMS messages are plentiful.
The Protectimus Bot token can also be used outside of areas with cellular network coverage as long as internet access is available.
Users don’t need to install another app or buy two-factor authentication hardware tokens. One of these messaging apps is already installed on 99% of users’ phones.
Chatbots for two-factor authentication can even be used when you don’t have access to your phone — there are web-based versions of Telegram, Viber, and Facebook Messenger.

Cons

Internet access is needed to use messaging apps. However, you’re more likely to have problems with cellular network coverage than with internet access. 3G/4G/5G technology is available wherever there is cellular network coverage. If there’s no coverage, you can find a Wi-Fi hotspot or use a wired internet connection.
It’s possible to log in to messaging services from several devices and forget to log out, leaving multiple sessions active at once. For example, while writing this article, I have three active Telegram sessions: one on my smartphone, one on my work computer, and one on my laptop at home.
To issue a token, users need to add the ProtectimusBot chatbot themselves.

SMS authentication: pros and cons

Pros

In short, there’s only one essential advantage to using SMS-based two-factor authentication: users don’t need to visit your office, give out their address to receive a hardware token, or install an app in order to start using one-time passwords. As soon as you have a user’s phone number, you can start sending them OTPs. Often, this single advantage is enough for clients to choose SMS-based two-factor authentication. Companies will readily sacrifice security for the sake of convenience.
SMS authentication is also well suited to users of feature phones with a traditional keypad, who simply cannot install apps on their phones. This can also be considered an advantage.
Besides, just like Protectimus Bot, Protectimus SMS tokens support CWYS (Confirm What You See) data signing functionality.

Cons

The rest is solid negatives, it’s too expensive and SMS two-factor authentication hack is possible because of too many weak points:

SMS messages can be intercepted while being delivered over cellular networks.
A one-time password can be intercepted directly on the user’s device by a virus.
Attackers may request a replacement SIM card in order to gain access to a victim’s telephone number.
Employees of an SMS service operator are often involved in such schemes.
If a subscriber is located outside the network’s service area, they won’t receive an OTP.
Companies spend hundreds of thousands of dollars paying for SMS delivery.

In summary: 3 reasons to stop using SMS authentication and start using 2FA chatbots

Each approach to two-factor authentication has its strengths and weaknesses. However, after comparing SMS authentication to chatbot-based delivery of one-time passwords, we can clearly see that Protectimus Bot tokens win on every count:

Financial efficiency. Using two-factor authentication via messaging services is more profitable from a financial point of view.
Security. Multi-factor authentication using Telegram, Viber, and Facebook Messenger 2FA chatbots is many times more secure.
Convenience. 2FA using messaging apps is no less convenient than SMS authentication and is even more convenient in some situations (for example, when using roaming).

Switch to messaging apps and save money while improving your level of security. If you have any questions, contact us by email at support@protectimus.com.

Originally published at https://www.protectimus.com on October 22, 2019.