Why SMS Two Factor Authentication Isn’t Enough. And What You Should Use Instead

One-time passwords sent via SMS aren’t a reliable indicator of identity. And, as it turns out, they never really were in the first place. Because while OTPs are a step-up from knowledge-based questions and passwords alone, the way they’re delivered opens them up to numerous vulnerabilities.

Which leaves us with the burning question: if not OTPs, then what? Read on as we explore the logic behind SMS delivered OTPs, the unfortunate vulnerabilities that render them almost obsolete, and what Transmit Security’s CEO and Co-founder, Mickey Boodaei, strongly suggest to use in their place.

Beyond passwords

SMS Authentication is a method of identity often used for two-factor authentication (2FA) or multi-factor authentication (MFA). The user provides a code that is sent to their phone via SMS as proof of their identity.

SMS 2FA is grounded in the concept that in order for a user to verify their identity, they should present more than just an easily-hackable, or easily-shared password. Meaning that users need to prove their identity using at least 2 out of the 3 types of
authentication factors:

Something you know: a password, PIN code, code words, or answers to security-based questions.

authentication factors: something you know, password

Something you have: a one-time password sent to a device you own, or device tokens, USB drives, keys, and smartphones.

authentication factors: something you have, device

Something you are: what belongs to you and no one else, including fingerprint and palm scanning, iris scans, facial recognition, and voice verification.

authentication factors: something you are, biometrics

The logic of 2FA simply means by doubling the number of times users must verify their identity, the lower the chances of fraudsters getting through. In addition, 2FA is supposed to ensure a more accurate sync of user identities across desktop, mobile, and cloud-based apps.

But SMS authentication isn’t a cure-all

And while 2FA authentication via SMS is better than no multi factor authentication at all, it is far from secure. In fact, it can even be easier for fraudsters to get access to 2FA SMS messages than it is for them to get access to passwords or other identity criteria.

Here are three ways that they do it:

Sim swaps: A SIM swap is where a fraudster contacts your phone or wireless provider and — using personal data collected from social media platforms or hacking other accounts — convinces the provider that they are you, and gets your phone number transferred to an additional SIM card. With the redirect in place, fraudsters can now gain access to all your 2FA text messages and to almost any of your accounts. From email to bank accounts and beyond.

SMS phishing scams: An SMS phishing scam is exactly that: a phishing scam via SMS instead of email, where you receive an SMS from what appears to come from a reliable provider, asking you to click on a link in the message. Once you do, however, you’re taken to a legitimate-looking, yet fraudulent site and are asked to enter your details, or download spyware or malware disguised as a genuine update or download. Giving fraudsters the information they need to gain access to your private accounts.

SS7 attacks: During an SS7 attack, fraudsters hack into the (highly vulnerable) SS7 cell phone protocol to spy on your phone number, its location, and listen in on your voice calls and read your text messages without you even knowing. And with your phone number and one other identity authenticator in hand, they can then gain access to your secure accounts. With so many ways SMS 2FA messages can be intercepted, it’s a wonder why it’s still so widely used.

If not SMS 2FA, then what?

Luckily, new and more secure methods of multi factor authentication are being introduced to the market. Authenticator apps installed on your devices, bound uniquely to a device that you own and secured with a password are one way to avoid using SMS, yet still help you generate unique, time-limited codes for two factor authentication.

Biometric authentication such as facial recognition, voice recognition, or fingerprint scanning, is also far more effective than one-time passwords and PIN codes.

In a recent interview, Transmit Security’s CEO and Co-founder, Mickey Boodaei, shared his thoughts on what companies should be doing to authenticate their users instead.

“Today, I would say focus on just one thing: biometrics that are embedded in the endpoint device of the user. Whether that’s via phone, face ID, touch ID, or the Android equivalent of that. These methods should replace all knowledge-based methods of authentication such as passwords and knowledge-based questions, as well as OTPs via SMS.”

Mickey Boodaei

Why endpoint device biometrics are crucial

There are three core reasons why endpoint device biometrics are crucial. One, because the technology they use is so advanced. It is currently the best option available in the market. Both in terms of its ease of installation and with regards to its long-term.

Second, because these biometrics are quickly becoming the industry standard. Users are already more familiar with high-level authentication procedures, including endpoint device biometrics. Meaning they are becoming more and more comfortable with using them every single day.

And third, because they are by far the most secure way of authenticating users today. This is because they weave together all three categories of authentication — something you know, something you have, and something you are — in the one endpoint, making it a highly secure and reliable method of authentication.