It’s delightful to see that more and more websites, apps and services employ MFA and even make this type of log-in protection a mandatory feature. What makes us a bit concerned, is that a huge portion of those websites still opt for SMS 2fa. Despite the facts that SMS verification has too many limitations and has been proven to be a lot less secure as any other two-factor authentication method. In fact, NIST (the National Institute of Standards and Technology) has issued a recommendation to replace SMS authentication with other types of MFA back in 2016. We do believe that SMS protection is way better than no protection at all. But is SMS secure? If it’s not, why so many companies continue to use it? Is SMS two-factor authentication really as evil as they say it is? What can it be replaced with? Let’s find out!
SMS Authentication Pros
- SMS two-factor authentication is still alive and striving partly because of SMS ubiquity. It is a standard feature of most mobile plans from basically every mobile operator all over the world. Even if a user has no smartphone, they most probably have a simple mobile phone, which supports SMS.
- It is easy. There’s no need to download any apps, scan any QR codes, etc. SMS has been around for quite a while (the first SMS was sent back in 1992), even my grandmother knows how to use it, and she’s 90. So if you’ve got a non-tech savvy user you can bet they will be able to use an SMS authentication code, while a more advanced MFA type might become an issue.
- Finally, if someone tries to breach your account, an SMS code will be delivered no matter what. Some MFA apps, for instance, might malfunction in this scenario if there’s no Internet access. And with a two-factor authentication SMS you’ll know for sure something’s not right. Unless, of course, it’s a spoof SMS, or you are not the one receiving the verification password. And that’s where we come to the cons of SMS MFA.
SMS Authentication Cons
As a number of infamous data breach scandals has shown over the last couple of years — breaking into an SMS protected account is not that hard for an average crook, and very easy for a well-equipped and motivated one.
- The well-known Twitter break-in was done by impersonating the victim and convincing the provider company to transfer the victim’s text messages to the perpetrator’s SIM card. This is rather easy to do, especially if the criminals know some other bit of information about you, your social security number for example.
- A similar way to intercept your SMS one-time passwords is again by impersonating you, but this time requesting your telecom service provider to transfer the service to a different carrier. The criminals simply set up with another provider and carry on with their crime.
- Most of the SMS-based MFA systems offer a recovery option in case a user loses their phone or changes the number. If the hacker has access to your email they can reset the 2FA system, use the fake phone number for verification and you won’t even notice until it’s too late.
- If you are still wondering how secure is SMS, just consider the following. All the telecom infrastructure around the world relies on Signaling System 7 telephony protocol (SS7). This protocol is a way for the telecom networks to communicate between themselves, to start and end calls and perform other services, like SMS. SS7 was developed in 1975 and its vulnerabilities are well-known. Intercepting a text message exploiting these vulnerabilities is an SMS authentication hack that is painfully obvious and very easy to do for an experienced hacker.
- There are also fake cell towers that can intercept SMS pretty easily too. And a choice of malware software designed specifically to intercept SMS one-time passwords as they arrive.
- One of these hacks was probably used in the famous 2018 Reddit breach. They stated that no phones were compromised, so we can speculate that the attackers managed to intercept the second factor itself.
- SMS authentication pricing is another disadvantage which is more relevant to the companies implementing 2-factor authentication to their websites and corporate infrastructures. SMS authentication is very expensive. Companies pay for every SMS message delivered to their user, which results in huge five-digit and six-digit bills at the end of every month.
| Read also: Dutch Scientists: SMS Verification Is Vulnerable
What MFA methods to use instead
So, is SMS two-factor authentication insecure? A 2-factor authentication by SMS hack is too easy to come by for us to say it’s not. But, is two-factor authentication worth it overall? It most definitely is. If the service allows for other types of MFA we strongly recommend choosing one of the following.
MFA apps generate one-time passwords directly on your smartphone. These passwords are not transmitted via any network — either GSM or Internet. These characteristics eliminate half the hacks that can be used to gain unauthorised access to your 2FA secured accounts. There are some cons to this type of MFA though. Being connected to the net is a vulnerability, it makes the phone susceptible to viruses. You can get a virus downloading any app or file. Besides, smartphones are easily stolen, lost or broken.
Hardware OTP tokens
Hardware tokens are definitely the most secure you can get with MFA. These devices are created for one purpose only — to generate one-time codes. The tokens are not connected to the Internet or any other network. So basically, there’s no way to hack them. There are programmable tokens that can replace MFA apps, these are a safer alternative for those websites that offer only 2FA via application. And there are classic hardware tokens, like Protectimus Two for example, which require a website or service to support this type of authentication.
Protectimus MFA chat bots on various messaging services like Facebook Messenger, Telegram, Viber etc, are a simple and cheap replacement for SMS verification. For the companies, this is a rather good way to reduce the cost for two-factor authentication support and at the same time to make 2FA more secure. Messengers provide encryption, so even if a pass code is intercepted (which is much harder to do than with SMS), the code will be useless for the hacker. Besides, access to the messengers is often protected by 2FA as well. So, even if the smartphone is stolen, getting the second factor won’t be that easy. Just make sure to disable the lock-screen notification, so no-one will be able to sneak a pic. And yes, the messengers are also susceptible to viruses.
| Read also: Hardware or Software Token — Which One to Choose?
The discussed pros and cons of multi-factor authentication with SMS clearly show that SMS is not the best option when it comes to protecting sensitive data, like your banking apps. Yet, it’s still way better than relying on simple login-password combination. So if the website offers only SMS protection we insist you go for it! But try to nudge them in a more secure direction, use your influence as a valuable customer, use social media to make them hear you. If more users demand better security, the companies will have to eventually comply. And if you own a company do make sure to provide your clients with better choices!
- 4 Reasons Two-Factor Authentication Isn’t a Panacea
- The Evolution of Two-Step Authentication
- How does 2-factor authentication work?
- Time Drift in TOTP Hardware Tokens Explained and Solved
- One-Time Passwords: Generation Algorithms and Overview of the Main Types of Tokens
- Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?
- How to Backup Google Authenticator or Transfer It to a New Phone