Phone numbers as identifiers: The problem with SMS-based authentication

I recently heard about a Facebook user who encountered a very concerning login experience. After entering a password recovery code he had received via SMS, the user was accidentally logged into someone else's Facebook account.

The phone number the user had used to receive the SMS was actually a recycled number that previously belonged to someone else. Because the original owner of that number never disassociated it from his Facebook account, an SMS-based authentication attempt made with that number resulted in a login to that account. Not ideal, to say the least.

In this post, I’ll discuss the outdated concepts of identity that led to this incident, the ramifications it may have for those who use mobile authentication today, and how to protect yourself from similar scenarios.

Phone numbers as identifiers

The original intent of telephones was simply to connect people using voice communications. As a result, in a relatively short period of time, the phone number naturally became the principle public identifier. However, as we moved from analogue to digital communications and mobile phones became more sophisticated, our usage began to shift: From voice communications to data usage, with a focus on applications rather than devices. At the center of this shift was, of course, identity.

Today, users face increasing pressure from app services to link their accounts to other identifiers for security and login purposes. In the rush to sign users up as fast as possible with as little friction as possible, many application and service developers latched onto the easiest identifiers available: telephone numbers. As a result, mobile phones have come to rest at the heart of an identity revolution. The issue, however, is that phone numbers were never designed to be secure identifiers.

They were developed as a way of identifying a subscriber, so that calls could be routed to them. They aren't static. As with any dynamic, finite resource, they are subject to being recycled when they fall out of use. In the past, this wasn’t a huge issue (at worst it resulted in some misdirected calls), but because phone numbers have become identifiers within an evolving identity-based security landscape, new problems are starting to arise. While a misrouted phone call from a stranger might be irritating, gaining access to someones private photos or confidential messages is a much bigger problem.

Am I at risk of this happening to me?

There's no reliable way to find out if you are using a recycled number. The closest is probably to run a search against your number in Google or public phone directories. However, unless you have had your number for a long time, it's safe to assume your number has been recycled.

The key thing to remember is that you aren't at any more risk by using a recycled number. Rather, the lion share of the risk falls on the previous user and the service. Using a recycled number in itself is fine, but be careful. Your old number is probably being used by someone else.

What can I do to protect myself?

First, if you are changing numbers, changing telephone operators, or making any change likely to result in a new number, delete or disassociate your old number from all applications or services before you make that change.

Likewise if you are going to sell or return your phone, make sure you perform a factory reset to wipe it first.

Next, make sure you use a secure Identity based 2 Factor, or Multi Factor authentication method with any service that supports it. Don’t just rely on SMS for authentication, regardless of whether or not you think your previous number has been recycled.

SMS, like telephone numbers, was never designed to be completely secure. It relies on the telephone networks to keep it confidential and is linked to a phone number, not a user. As a result, with age, weaknesses are starting to be found that make it unsafe as an authentication method in its own right.

In 2016, NIST started indicating that it no longer considered SMS secure, and recommended deprecating it as a transport for 2FA. They have since softened their stance, but the reasons still stand: SMS was not designed to be a secure transport of information. It has a number of flaws which gave it a finite shelf life for secure usage.

Now that phone numbers are being recycled with greater frequency and ways to hijack mobile telephony are in the public domain, the end of that shelf life is upon us. From social engineering attacks aimed at moving a victim’s number, to accidental cases like this caused by number recycling, SMS has an increasing number of security risks associated with it. Though it is certainly more secure than no secondary factor at all, there are more secure alternatives out there, such as OTP or token-based authentication.

The bottom line

Login errors caused by number recycling are symptomatic of a much bigger issue: many services still rely on just a mobile phone number as an identifier, despite all the risks.

You can’t rely on a public identifier alone. There should always be some additional Identity-based authentication to ensure that it is definitely you using the service and not someone who happened to get access to your device or phone number.

This doesn't mean we should abandon mobile phone numbers completely. It just means we need to revise how we use them. Companies need to update their authentication flows and service architectures to ensure that they keep up with the latest types of risks. Finally, users need to be aware that SMS-based authentication isn’t as reliable as they may think.