Many websites and apps have started to offer two-factor authentication 2FA solutions for their logins. According to the 2018 Global Password Security Report, organizations which are using two-factor authentication (2FA) has risen from 24 percent in 2017 to 45 percent in 2018.
This is a very significant increase. However, most platforms only offer the most basic authentication methods via email or SMS. Although many believe that SMS protection is way better than having no protection at all. But is SMS really secure? Let’s list out the pros and cons of SMS 2FA below:
SMS 2FA Pros
SMS two-factor authentication is among the most used method by most website and platforms. The biggest reason is it is very common. SMS is a standard feature of most mobile phones and is supported by basically every mobile operator all over the world. Even the simplest mobile phone supports SMS.
Easy to Use
Among other authentication options, SMS also has the best utility. There is no need to install any app or download QR codes. It’s simple and convenient. Even non-tech savvy users and users of virtually all ages know how to use mobile phones.
For business owners, SMS two-factor authentication is an attractive option because it is affordable. Everyone has their own mobile phone so there is no need for extra hardware or software.
Some two-factor authentication methods are not usable if there is no internet access. However, an SMS verification code will be delivered to your phone no matter what. This way, you immediately notice if there is something wrong, and you are able to do necessary actions to prevent it.
2FA SMS Cons
Too dependent on the device
You can access your emails everywhere. Same as applications, you can easily install it to another device and log in. However SMS authentication is very dependent on the device. If your phone gets lost or your SIM card gets broken, you may not be able to access your account.
Many cybersecurity experts consider SMS authentication as the most unsecure multi-factor authentication option. In fact, back in 2016 the National Institute of Standards and Technology (NIST) has issued a recommendation to replace SMS authentication with other types of authentication methods. Here’s how cybercriminals can break-in through your mobile phones to intercept your SMS one-time passwords:
- SIM card duplication. An attacker can try to impersonate the victim and convince the mobile service provider to issue another card with a similar number because it was lost or broken. This isn’t difficult to do if the attacker has access to the victim’s personal information.
- SIM rerouting or hijacking. This is a similar method to duplication but much simpler. The attacker again impersonates you and requests your telecom service provider to activate your number onto a SIM card of their possession. Usually, the operators only do a quick verification for this process such as providing the full name, address, phone number, DOB, and passcode or the last four digits of your social security number—that’s it.
- Malware attacks. This attack involves recovering cryptographic key material from your SIM card and infecting your phone SIM-born malware. With this, the perpetrator would be able to monitor or eavesdrop on all your conversations. This includes all text messages or phone calls.
- Phishing. Previously, a report revealed that two-factor authentication using one-time passcodes sent via email or SMS could be hacked by baiting the victim to log in on a duplicate website and stealing its session cookie.
- Resetting 2FA options. If the hacker can access your email, they can simply reset your 2FA settings and replace your phone number with their own.
Though SMS authentication has many advantages, it is not the best option to protect sensitive information. SMS relies on the Signaling System 7 telephony protocol (SS7), which was developed in 1975. Clearly, it is an outdated method with a lot of vulnerabilities.
Still, using SMS two-factor authentication solutions is still more secure than relying on username-and-password only combinations. If the website or app offers no other options, it won’t hurt to use SMS 2FA. However, you shouldn’t trust it with your important accounts such as banking and other financial apps.
There is no such thing as “perfect security.” Whether it is email, SMS, biometrics, app push or hardware tokens, every method of authentication has its own advantages and disadvantages. The best way is to combine these methods and form a layered security through multi-factor authentication. Even if one factor gets breached, there will be other factors to block and slow down malicious attacks.
Learn more about how TraitWare has gone beyond 2FA with Passwordless MFA