Skip to main content

SMS 2-factor authentication is alive and kicking

(Image credit: Image Credit: Gilles Lambert / Unsplash)

Authentication apps are in vogue – but there’s a big reason SMS 2FA will be relied on by businesses for years to come.

Upon hearing rumours he had died, author Mark Twain is said to have quipped to a newspaper: “Reports of my death have been greatly exaggerated.”

Keep this quote in mind if you come across articles claiming that authentication apps are going to consign SMS two-factor authentication (2FA) to history.

Far from dying off, SMS will be confirming online identities across the world for many years to come.

In fact, you can bet on its usage growing – fast.

Ease and simplicity

With cyber breaches and data exploitation making headlines on a frequent basis, it’s clear we live in an era where online security should be a number one priority for businesses and their customers.

Two step authentication techniques are indeed a great way to ensure safety is not compromised.

Yet the reality is that people across the globe – including a reported 90 per cent of Gmail users – are still leaving themselves wide open to fraud by securing important online accounts with a single password only.

They’re failing to take up the option of 2FA for reasons including: the hassle involved, the unfamiliarity of the technology, or because they underestimate the threat to their accounts and applications.

And whilst strong passwords are an important component for security, it’s clear that a simple and accessible way for people to add that extra layer of authentication is needed.

That’s where SMS comes in.

The rise of authentication apps

SMS 2FA is a beautifully simple system because almost everyone has a mobile phone and almost everyone uses their text inbox. The service is quick, easy-to-understand, and no Wi-Fi is required. To receive passcodes via SMS, you only need to tick a permission box.

So, how does it work? First, you enter your username and password into a website, as usual. Then you receive an SMS with a unique one-use PIN delivered straight to your pre-determined phone number. You enter that too, and you’re in. This means that even if someone has your username and password, they won’t be able to sign into your account without access to your text messages.

Authentication apps are another excellent option for businesses and consumers that are serious about security. They generate unique passcodes, which must be entered as part of a log-in process.

However, authentication apps have a downside. If a business wants people to use an authentication app, it must first persuade them to download it. This is a small but significant barrier in itself. Additionally, the user must undergo a security process to enter their details and confirm their identity (which often includes being sent an SMS 2FA code through their phone). And there’s real inconvenience if you ever change phones, as you have to update authentication details on all your apps.

In a time where consumers expect a quality and speedy service, the reality is that many organisations will struggle to persuade large numbers of users to do this. Many Gmail users have not adopted 2FA, despite having access to a ready solution in the form of Google’s own Authenticator app.

Network security is all about managing risk and finding solutions that encourage consumers to take action, and continue to act a certain way. SSL web-browsing has risks, but it has boosted online security because it’s conveniently built into web browsers. And therein lies the beauty of SMS 2FA: it’s easy and accessible, and it’s far safer than relying on a one-factor password process. You don’t ignore car seat belts because they can’t protect you from every sort of crash. You use them and look for other ways to keep yourself safe as well – airbags for example.

SMS 2FA is dead...long live SMS 2FA

So what are the security issues with SMS?

A few years ago, just as SMS 2FA was taking off, a flaw in the system came to light. Attackers worked out they could call a mobile network provider claiming to be a customer, then persuade the operator to port that customer’s number onto a new sim card. This meant an attacker could receive a customer's SMS messages on a new SIM – including any 2FA alerts.

Fortunately, this process lapse has been fixed. Now, all major network providers insist that customers prove their identity before accessing their account.

But, there’s also the rare incidence of attacks on the SS7 system to consider. SS7 is a set of protocols that allows phone networks to exchange information with each other. Sophisticated attackers can potentially access the SS7 system. If they also have a target's username and password, they can then reroute text messages for that person's number.

Fortunately, these types of attacks are incredibly rare and difficult to pull off. Unless attackers are going after extremely high-value individual targets, they’re highly unlikely to go to all the trouble of both entering the SMS network and getting hold of usernames and passwords.

What’s more, operators across the world have woken up to the SS7 threat and have been installing firewalls to protect the network over the past few years.

Official backing for SMS 2FA

In recent years, the US’s National Institute of Standards and Technology (NIST) – one of the most influential authorities on online security in the world – created a draft of its annual publication, which questioned the effectiveness of SMS 2FA based on SS7 vulnerabilities.

This led to many headlines announcing the demise of SMS 2FA. But, following further investigations, NIST experts revised their decision. The final version of the guidelines specifically recommended SMS as an effective 2FA measure, while discounting email or VoIP channels because they don’t “prove possession of a specific device”.

In short, SMS has been found by NIST to improve security exponentially without creating barriers for employees and customers to overcome. It can be rolled out to thousands of users at lightning speed, and it’s incredibly cost effective. For these reasons, it’s likely to remain the most widely-used and effective 2FA tool for organisations and their stakeholders.

Reports of the death of SMS 2FA are, indeed, greatly exaggerated. It has given users the peace of mind that their details can be protected, wherever they are in the world.

Michael Mosher, Director, Global Information Security & Privacy, OpenMarket (opens in new tab)
Image Credit: Gilles Lambert / Unsplash

Michael Mosher is a former US Secretary of State bodyguard and head of protective services. A recognised leader in the telecommunications industry, he leads OpenMarket’s security and privacy arm.