The Value of SMS One-Time Passcodes and Why They Shouldn’t be Banned

German banks are reportedly moving away from SMS one-time passcodes.

Let me first say that I’m not a big fan of SMS-based one-time passcodes (OTP) . SIM swapping is a real threat and we’ve seen successful SIM swap attacks before. However, banning or dropping SMS-based techniques as a result of those successful attacks is exactly what’s wrong with authentication and authorization today.

The fact that some banks relied on SMS as a binary authentication factor (i.e. with each transaction and not based on risk) is alarming to begin with, but the fact that they’ve now decided to drop SMS OTP altogether is just as alarming.

Organizations are always looking for a silver bullet that can give them a binary “strong” authentication result. Well, there isn’t one and anyone who’s selling this dream is, well … dreaming. Those who put their faith in mobile or biometrics are in for unpleasant surprises.

There isn’t a silver bullet.

The right approach is building trust in the user’s identity and devices over time using multiple approaches and based on thorough risk analysis (Continuous Adaptive Risk and Trust Assessment). SMS is one of the approaches that can be used at the right time and based on risk. Used in conjunction with multiple other techniques over time will produce some great results.

Remove SMS and you have one less indicator to rely on when building trust. The entire approach to authentication and authorization has to change if we really care about our users’ identities as opposed to just “complying” with various regulations. Complying is important, but the way you comply makes all the difference.