Why You Should Ditch SMS as an Auth Factor
In my previous post, I talked about how the COVID19 pandemic has impacted how our customers use MFA — more specifically how SMS as a factor is on the rise as organizations look to rapidly roll out a quick and easy secondary auth method in response to the need to embrace remote work. In this post, I’ll go into more detail around issues with SMS as a factor, and some alternative methods that I’d recommend.
SMS as an Authentication Factor
We’re all familiar with SMS - if you have ever received a text message, you know how easy a form of communication it is. That’s why, for years now, SMS has also been considered a great option as a second form of identity verification - commonly known as SMS OTP (one time passcode).
For example - log into your banking app on a new device, receive a text sent to confirm your identity. Or, log into Facebook from a new location - receive a text to verify it was really you attempting to log in.
Easy, familiar, and thought to be “secure enough.” This has also extended to the workplace for companies that have implemented MFA - log into your work email, Slack or other apps, and just provide an SMS OTP to complete the login.
SMS OTP seems like a quick way to get up and running with MFA, but is it really the best option? In recent years, breaches have proven that unfortunately, SMS OTP as an MFA factor, similar to the password, is past its glory days. In 2016, NIST started indicating that it no longer considered SMS secure, and recommended deprecating this option as a method of MFA. While they have since softened their stance to an extent, it’s still clear that SMS was not designed with the intent to securely transport data. While SMS OTP is easy to deploy because everyone has a phone, it’s not truly a secure way to access accounts.
Common issues with using SMS OTP as an MFA factor
We’ve been hearing a lot about moving away from SMS OTP as a factor because of its security deficiencies, but what exactly are those deficiencies? Let’s break it down:
1. SIM Swapping/SIM Hacking
The SIM card in your phone essentially tells your phone which wireless carrier to connect to, and what phone number to connect with. In a SIM swap/SIM hack attack, a threat actor impersonates you and convinces the carrier that they are, in fact, you.
Ultimately, your phone number is then assigned to a new SIM card on a different phone. In a SIM swap/SIM hack, threat actors do not need access to any of your physical devices to gain access to your accounts - once your number has been switched to a device in their possession, they can receive all SMS OTP messages tied to your online accounts.
2. Lost devices & synced devices
You’ve lost your phone - annoying, but happens from time to time. But, what happens when your phone number is connected to your banking apps, social media, and more?
In general, multi-factor authentication is considered a combination of two pieces of evidence which prove you are who you say you are - a knowledge factor (something you know), an inherent factor (something you are), or a possession factor (something you have). Using password and an SMS OTP as a factor is a combination of knowledge and possession factors, but, If you’ve lost your phone, in theory you should no longer be able to receive messages to validate your identity.
However, because we can now sync messages across multiple devices, even if you have lost the device which should be considered your second factor, you still have access to your accounts. This is considered insecure when you can forward text messages to your email - which may have an insecure password, or if you’re using a VoIP number that can be accessed on any device which may or may not have a PIN code.
3. Taking over your online wireless account
Keep in mind that most of the common wireless providers allow you to view text messages via your online account, within their web portal. If your account for the web portal itself isn’t protected with a second factor, and if you are using an easily guessed password which you use with many online accounts, a threat actor could monitor your account for an SMS OTP message that you initiated for a banking app, Facebook, etc, giving them access to those accounts.
4. Social engineering & phishing
Unfortunately, SMS OTP is not the only form of authentication susceptible to social engineering phishing attacks. Less secure factors like passwords and security questions are equally susceptible. In a social engineering attack, a threat actor posing as an employee from a service you trust convinces you to hand over your account credentials, and in many cases, the SMS OTP sent to your device as well.
For example, if you get a call from your “bank” telling you that they need immediate access to your account for security purposes, you may inadvertently give a threat actor your username/password combination, as well as the SMS OTP code which gets sent to your phone during the login process. Phishing attacks aren’t just specific to email. You can receive a phishing text message as well, and if you inadvertently type a username/password combination into a malicious website, the threat actor could then use a few of the aforementioned attack types to take over your account.
This is not a full list of the issues with using SMS OTP as a factor, but should give you a sense of why it’s wise to consider use of stronger factors to protect your users and their data.
What can I use as an alternative to SMS?
While it is difficult to completely move off SMS as an MFA factor, many authentication providers offer multiple factor types to validate a user's identity. Ideally, your authentication provider will allow you to enable multiple factor types for a single user, with some factors as required and some as optional. Here are some recommendations on more secure factors to enable for your users:
1. Mobile authenticator apps
Mobile authenticator apps traditionally support OTPs within the app, or, ideally, push notifications, which are more secure than OTPs. When a user enters their credentials into a web app, they are then prompted to either enter the OTP or accept the push notification sent to their phone. If your mobile authenticator app supports biometrics like FaceID on iOS or fingerprint on Android, even better.
Benefits of mobile authenticator apps over SMS OTP:
- Does not rely on your wireless carrier’s reliability or security - the OTP and push notification are tied to your phone, regardless of the phone number
- Many authenticator apps offer mobile OTP for free and can be used for both enterprise and consumer use cases
- Mobile OTP codes expire quickly, offering a better level of security than SMS OTP
- No dependency on location, and in some cases no dependency on internet/data - for example if you are traveling internationally, mobile OTP and push notifications will still work. OTP codes specifically work even if your device does not have cellular service or data.
- Securing push notifications with biometrics offers an increased level of security - even if your phone is stolen, the push notification cannot be accepted by anyone else.
There are many different mobile authenticator apps on the market, some are a better fit for enterprise use cases than others.
Examples of mobile authenticator apps include:
2. FIDO2.0 (WebAuthn)
WebAuthn is a browser-based API that allows for web applications to simplify and secure user authentication by using registered devices (phones, laptops, etc) as factors. It uses public key cryptography to protect users from advanced phishing attacks.
In March 2019, the World Wide Web consortium announced WebAuthn as the new web standard for passwordless logins. To learn more about how WebAuthn works, see our post here. Today, WebAuthn is the only factor which is phishing-proof.
WebAuthn factors can be on-device (platform), or off-device (roaming). Here are aome details on both:
Off-device/roaming authenticators: These are WebAuthn-supported factors that are not built into the hardware (computer/phone).
On-device authenticators/platform authenticators: These are WebAuthn-supported factors that are built into the hardware (computer/phone).
- Windows Hello on Windows 10 1903 and later
- Touch ID on MacBook
- Fingerprint on Android 7.0+
Support for WebAuthn is dependent on the web app updating their authentication process to support the WebAuthn API, browser support, OS support, and hardware support. This may seem overwhelming, but thankfully, many operating systems, devices and browsers already support WebAuthn. And, while consumer apps are still in the process of adopting this standard, if you’re using an enterprise-grade authentication provider to secure access for the workforce, it’s likely you’ll be able to use WebAuthn with that provider.
Benefits of WebAuthn over both SMS OTP and mobile authenticator apps:
- A standards-based approach to secure passwordless authentication
- Phishing-proof factor type via a public and private key pair for each WebAuthn factor that a user enrolls with
- Best experience for end users - use of biometrics means swift, seamless logins
- The same biometric you use to login/unlock the device can be used to access apps
- Multiple options for devices & security keys
Examples of browsers, hardware, and operating systems which support WebAuthn:
- Google Chrome on MacOS using Touch ID
- Google Chrome on Windows 10 using Windows Hello
- Microsoft Edge on Windows 10 using Windows Hello
- Firefox on Windows 10 using Windows Hello
- Google Chrome on Android 7.0+ using devices with fingerprint support
- Desktop apps on Windows and MacOS that use a WebAuthn compatible browser for login using Windows Hello and Touch ID, respectively
- Native mobile apps that use a WebAuthn compatible browser (ie Chrome) for login on Android 7.0+ using fingerprint support
While it’s not an exhaustive list of available factors, the diagram below shows a few examples of common factors and their assurance levels. As you’d expect, using just a password has the lowest level of assurance, and the highest likelihood in probability of account takeover and subsequent data breach.
Learn more about multi-factor authentication
It’s true that securing accounts with SMS OTP is better than nothing or using just a password. But, the great news is that you don’t need to choose between SMS OTP vs nothing!
We recommend enabling more secure factors like mobile app authenticators and WebAuthn as optional factors for your users (at a minimum) - this gives them the flexibility in using more secure factors if available, and still allows for SMS OTP as backup. There are many great options for securing accounts, both in the enterprise and for consumers. To learn more about these options, check out these resources: