What is SMS 2FA?

SMS two-factor authentication (2FA) requires you to log in using your password and a one-time passcode sent to your phone via text. By combining knowledge of the password with possession of the phone, SMS 2FA provides a much stronger defence against unauthorised account access and stolen credentials.

This article explains SMS 2FA, how it works, and its pros and cons for improving login security.

What is SMS 2FA?

SMS 2FA, or SMS two-factor authentication, is an authentication method that sends a one-time passcode to a user's phone via text message. The user must input their password and passcode to access their account.

This adds an extra layer of verification, as a malicious actor would need access to both the password and the passcode to break in.

SMS 2FA is a subset of Multi-Factor authentication, which refers to using two or more factors to verify a user's identity. The factors that can be used fall into three main categories - knowledge factors like passwords, possession factors like phones, and inherence factors like biometrics.

SMS 2FA uses a combination of a knowledge factor (the password) and a possession factor (the phone/SIM card).

How Does SMS 2FA Work?

The process for logging into an account protected by SMS 2FA is as follows:

  1. The user first enters their login username and account password on the provided text fields of the login page. This is the first authentication factor.
  2. After providing a valid password, verification is needed before access. A 6–8-digit one-time passcode is randomly generated and sent to the user's account phone number via text.
  3. The user then retrieves this SMS message containing the one-time passcode from their phone's messaging app. They must copy or memorise this passcode.
  4. In an additional text field displayed after entering the account password, the user must type in this SMS passcode and hit enter or "log in" to complete authentication.
  5. If the correct one-time passcode is entered within the allotted time frame (usually 30 to 120 seconds), the second factor is verified, and the user will be logged into their account. If the wrong code or no code is supplied, access remains restricted.
  6. Optionally, an account may allow a user to check a box that reads something like "Trust this device; don't ask for codes for 7 days". This setting eliminates frequent SMS passcode entry on private PCs/devices without reducing overall account security.

Why Use SMS 2FA?

  • Enhanced Account Security - If SMS 2FA is turned on, an attacker needs more than just a login and password to get into an account. This security, via an additional factor, significantly reduces unauthorised access.
  • Wide User Accessibility - Most internet users have a mobile phone capable of receiving text messages. SMS 2FA has very high user accessibility compared to other 2FA methods.
  • Easy Setup and Use - Users simply provide their phone numbers and enter verification codes sent via SMS. Minimal user training is required.
  • Cost-Effective - SMS messages are inexpensive for service providers to implement. The existing telephone infrastructure makes this a cost-effective 2FA channel.
  • Better User Experience - SMS is a non-intrusive verification method. Users don't have to install apps or carry additional devices.

Pros and Cons of SMS Two-Factor Authentication

Pros of Using SMS 2FA

  • Its high level of compatibility allows it to work on smartphones and basic mobile phones. The only requirement is that the device can send and receive text messages.
  • It does not require the user to purchase, carry around, or install any additional equipment, hardware tokens, or authentication applications. Since text messaging capabilities are standard on mobile phones, users likely already own a 2FA-capable device.
  • SMS 2FA authentication integrates seamlessly into the normal login process with minimal interruption. After entering a password, the user simply waits briefly for a text and types in the received passcode. Even less tech-savvy users generally find this familiar and intuitive.
  • Entering one-time passcodes works even when there is limited cell service in the area and no internet connectivity whatsoever. The random codes themselves contain all the required authentication information. No signal is required to generate or validate them. This means SMS authentication works offline.

Cons of SMS 2FA

While SMS 2FA does enhance account security over password-only authentication, it still has some notable weaknesses that administrators, developers, and end-users should be aware of:

  • The SMS messages transmitting the one-time passcodes themselves are not encrypted. The codes are visible plaintext and traverse the cellular network, vulnerable to technical attacks like SS7 exploits or by parties like malicious telecom insiders.
  • SMS authentication remains susceptible to "SIM swapping" social engineering attacks. If a cybercriminal successfully transfers or ports the target's phone number onto their own SIM card, they will then receive any 2FA verification messages rather than the genuine user. This completely circumvents SMS 2FA protections.
  • Most SMS passcodes remain valid and usable for verification for up to 10 full minutes before expiring. Compared to other 2FA methods like TOTPs (Time-Based One-Time Passwords), this lengthy lifespan provides more opportunity for passcode theft or guessing.
  • Relying entirely on SMS authentication means losing access to the linked mobile phone device, forgetting it at home, having no signal, or losing that device's SIM card, which can mean getting unexpectedly locked out of online accounts for an extended period of time.

Use Cases for SMS 2FA

  • Low Sensitivity Accounts - Ideal for services like social media sites, gaming profiles, retail sites and entertainment where passwords alone are inadequate but threats are lower.
  • Users Without Smartphones - Allows services to offer basic two-step verification even to users that only have basic cell phones.
  • Infrequent Backup Login Method - SMS codes provide account access backup if someone misplaces their security key or loses access to their authenticator app.
  • Transitional Option When Heightening Security - SMS 2FA serves as an interim improvement for services moving from single-factor to more stringent Multi-Factor authentication.

Conclusion

SMS two-factor authentication takes advantage of ubiquitous text messaging availability to implement an additional layer of account login security. By requiring access to not just a password but also the registered user's phone number, it defends against basic unauthorised access attempts as well as leaked credential phishing attacks.

While still inferior to advanced Multi-Factor authentication hardware and cryptographic methods, SMS 2FA provides a simple way for both administrators and average end users to meaningfully improve upon reliance solely on unchanging passwords.

Industry-leading security tools like Multi-Factor authentication by Instasafe create an extra layer of protection by requiring you to authenticate your identity when logging into your accounts.

Moreover, InstaSafe's solution safeguards your sensitive information from unauthorised access.

Frequently Asked Questions (FAQs)

  1. Is SMS 2FA safe?

SMS 2FA is reasonably safe for most users, but risks remain like SIM swapping or SMS interception that lower security versus authenticator apps.

2. How can I get a 2FA code by SMS?

Enable 2FA on your account, provide your phone number, and then 2FA codes will be texted to you automatically when logging in.

3. Why do banks use SMS 2FA?

Banks use SMS 2FA because it's cost-effective, accessible for users, and far more secure than passwords alone against account takeovers.

4. What are some SMS 2FA alternatives?

Some popular MFA alternatives to SMS 2FA are TOTPS and authenticator apps like Google Authenticator; mobile push notifications, FIDO2 (WebAuthn) and typing biometrics.