What Is SMS Authentication and Is It Secure?

SMS authentication—also known as SMS-based two-factor authentication (2FA) and SMS one-time password (OTP)—allows users to verify their identities with a code that is sent to them via text message. A form of two-factor authentication, it often acts as a second verifier for users to gain access to a network, system, or application, and is a good first step toward better security. 

However, it should be noted that SMS authentication is widely considered to be a weak form of verification. We’ll dig into the reasons why, but let’s first get an understanding of how SMS authentication works and the pros and cons of using it.

How does SMS authentication work?

This form of authentication is actually quite simple. After signing in, the user receives a text message with an SMS authentication code. All they need to do is enter that code on the app or website in question to gain access. You’ve probably experienced this yourself when logging in to Amazon, Facebook, Google, Twitter, and other services.

As a possession-based factor, SMS authentication verifies a user’s identity based on something they own (i.e., a mobile phone). This adds an extra layer of security to a login. In theory, bad actors would have to steal a user’s password and their phone in order to gain unauthorized access to an account.

Pros of SMS authentication

While it’s generally recommended to move away from SMS authentication, there are a few reasons why people and organizations continue to use it:

• More secure than passwords alone: Passwords are inherently weak because users tend to forget them, recycle them across various accounts, or have them stolen due to poor storage practices (e.g., writing them on a sticky note). SMS authentication helps to minimize our reliance on passwords, and makes it more difficult for bad actors to steal logins and hack accounts. 
• Convenience: One of the reasons users recycle passwords is because of the sheer volume of online accounts they create and manage: our research shows that people have to remember 10 passwords every day. SMS authentication removes this hassle as it sends unique codes directly to the user, which they can then easily input on a website or app to verify their identities.
• Better than no 2FA: Proving an identity with more than one piece of information is always going to be more secure than proving it with a single factor. SMS authentication, therefore, is a safer alternative.

Cons of SMS authentication

Despite it being convenient and simple to use, there are some downsides to using SMS authentication—and organizations have to question whether it’s sufficient enough to protect their corporate, employee, and customer data. 

Here are a few risks you should keep in mind:

• SIM swapping: Having an authentication code sent to a personal mobile phone may sound secure—but bad actors have found ways to intercept SMS messages. For example, they can contact a phone company and (using the personal information they have collected about a target, like a SSN) request that a number be transferred to another phone. This then gives them access to any SMS authentication code that’s sent to that phone number.

• SIM hacking: SIM hacking and other SMS or text message intercept attacks also pose a risk. For instance, malicious actors can spoof cell phone tower signals and SS7 systems (used to enable data roaming) to see the information contained in private messages.
• Lost and synced devices: Relying on SMS authentication is risky considering the rate at which devices are lost and stolen—and it’s even riskier when those devices are logged into social media accounts and banking apps. Synced devices also create an opportunity for bad actors, as text messages and other data can be accessed from multiple smartphones, laptops, tablets, and wearables. 
• Online account takeover: Many wireless service providers allow users to view text messages via online accounts on their web portals. If these accounts aren’t secured with a trusted second factor, bad actors may gain access and attempt to monitor them for SMS authentication codes.
• Social engineering attacks: Today, social engineering attacks such as phishing are as prevalent on mobile devices as they are on desktop and laptop computers. They occur when malicious actors pose as a trusted organization in an attempt to convince targets to hand over their personal information and passwords—including SMS codes—which they can then use to gain unauthorized access.
• Cost: In addition to the security risks outlined above, organizations should also consider the cost of implementing SMS authentication. Price varies greatly across providers, and can change depending on the volume of SMS messages being sent. Moreover, the cost of an attack enabled by weak SMS authentication can prove catastrophic to organizations. 

Is SMS authentication secure?

With all of these SMS attacks and security issues in mind, it’s clear that hackers are growing more sophisticated every day; even small amounts of information can be used to hijack mobile phones, spoof user identities, and access accounts. So, to answer the question: no, SMS authentication is not entirely secure. In fact, the National Institute of Standards and Technology (NIST) formally advised against the use of SMS authentication in 2016. While they have since amended their statement, the vulnerability that SMS authentication poses is still significant.

Why is SMS-based 2FA still so popular?

The SMS security risks outlined above have been widely and publicly discussed for many years. And yet SMS for 2FA is still widely used by many organizations. Why?

For starters, SMS authentication is easy to deploy and use. In addition, customers and employees alike have grown accustomed to using it to gain access to their various applications, whether they’re logging onto Slack, transferring funds, or playing Guild Wars 2. End users want quick, seamless authentication experiences and see SMS as a perfect solution, without necessarily considering the security risks.

If organizations want to move away from SMS authentication, they need alternative solutions that are just as easy to use.

Alternatives to SMS authentication

SMS OTP solutions are better than having no authentication in place at all. However, there are better options for businesses looking to keep their data and users secure.

FIDO2 (WebAuthn)

FIDO2 is a standard that simplifies and secures user authentication. It uses public key cryptography to protect from phishing attacks and is the only phishing-proof factor available. Plus, it was announced as the new web standard for passwordless logins by the World Wide Web consortium in 2019. 

Examples of FIDO2 in use include on-device authenticators like Windows Hello on Windows 10, TouchID on MacBook, and Fingerprint on Android, as well as off-device authenticators like Yubikey and Feitian BioPass. These features not only increase security, but also improve the login experience for users. Compared to answering a security question, for instance, passwordless authentication is a faster, easier way to gain access to accounts and services

Mobile authenticator apps

Mobile authenticator apps—such as Okta Verify and Google Authenticator—operate similarly to SMS authentication. When a user logs in to a site or app using their username and password, one of two things can happen: the authenticator app will generate an OTP that can be entered into the service in question, or it will send a push notification that asks you to approve or deny the login request.

Compared to SMS, these tools are more secure because they don’t rely on cellular service. In addition, the code generated by these apps expires within a few minutes, eliminating several of the risks we outlined above.

Going beyond SMS authentication

Ditching SMS as an authentication factor can be easier said than done. The key is to get users accustomed to other, more secure alternatives—and to make their authentication experiences as seamless as possible. Most smartphones, for example, can verify biometric factors (e.g., a fingerprint) with minimal friction. In addition, FIDO2 allows users to enroll more than one authentication factor, giving them multiple ways to access the applications and systems they need without a password.

With cyber attacks becoming more frequent and sophisticated, it’s vital for organizations to increase their security defenses. This means moving away from using passwords and deploying solutions that make it as difficult as possible for attackers to steal user credentials or gain unauthorized access to data and resources. And while SMS authentication is a step in the right direction, there are more secure factors that are just as (if not more) intuitive for end users.

For more information about the various authentication factors available, and the pros and cons of each, check out our Factor Assurance datasheet.