What is SMS Authentication and Is It a Secure Solution?

SMS authentication uses text messages to transmit a unique code to a user's mobile phone so they can confirm their identity. This adds an extra security layer beyond just a password. While convenient, SMS authentication has vulnerabilities that may raise security concerns.

This blog explores how SMS authentication works, its pros and cons, and evaluates whether it is a secure solution compared to alternative authentication methods like biometrics or security keys.

What is SMS Authentication?

SMS authentication, also known as SMS two-factor authentication (2FA), involves sending a one-time code to your registered mobile phone number to confirm your identity. While SMS authentication offers improved protection against unauthorised access compared to passwords alone, its security has been questioned due to various vulnerabilities.

How Does SMS Authentication Work?

The process of SMS authentication is relatively straightforward. When a user attempts to log in to an account or perform a sensitive transaction, the system generates a one-time passcode (OTP) or code.

This code is then sent as a message to the user's registered mobile phone number. The user is prompted to enter the received code as an additional verification step, confirming that they have possession of the registered device.

SMS authentication falls under the category of "something you have" authentication factors, which is one of the three main categories of authentication factors, alongside "something you know" (e.g., passwords, security questions) and "something you are" (e.g., biometric data like fingerprints, facial recognition, or iris scans).

Types of One-Time Passwords (OTPs) Used in SMS Two-Factor Authentication

There are two main types of OTPs used in SMS authentication:

1. Time-Based One-Time Password (TOTP): Passwords expire in 30-240 seconds using TOTP. If the TOTP arrives late, it can expire and need to be reissued.
2. HMAC-Based One-Time Password (HOTP): HOTP is an event-based password that replaces time with a counter. HOTP is a Hash-based Message Authentication Code. Since HOTPs are not time-based, they last longer.

Benefits of SMS Authentication

SMS authentication offers several advantages over traditional password-based authentication, making it a popular choice for organisations seeking to enhance their security posture.

Enhanced Security

SMS authentication offers an additional layer of security by adding an additional element in addition to a password. This makes it more challenging for unauthorised users to access accounts on the system.

With this Multi-Factor strategy, the likelihood of an account being compromised by popular attack vectors such as guessing a password, phishing, or credential stuffing assaults is considerably reduced.

Convenience and User Familiarity

Most people are familiar with receiving and sending text messages, which makes SMS authentication a relatively user-friendly and widely adopted solution.

Unlike other authentication methods that may require specialised hardware or software, SMS authentication leverages a technology that users already understand and use regularly in their daily lives.

Ubiquity and Accessibility

With the widespread use of mobile phones across different demographics and regions, SMS authentication can be implemented across a broad range of platforms and services, making it accessible to a large user base.

This ubiquity is particularly valuable for organisations with a diverse and geographically dispersed user base, enabling them to provide a consistent authentication experience.

Cost-Effectiveness

SMS authentication can be a cost-effective alternative for organisations, particularly those with a big user base, as compared to other authentication methods such as hardware tokens or biometric scanners. This is especially true for organisations that deal with user authentication.

When compared to the overhead expenses of implementing and maintaining specialised authentication gear or software, the costs associated with delivering SMS messages are often less expensive.

Disadvantages and Vulnerabilities of SMS Authentication

Despite its advantages, SMS authentication has several inherent vulnerabilities and drawbacks that have raised concerns about its overall security.

These vulnerabilities have led to ongoing debates and recommendations from security experts and organisations to explore more secure authentication alternatives or to implement SMS authentication with appropriate safeguards.

Lack of End-to-End Encryption

SMS messages are typically transmitted in clear text, meaning they are not end-to-end encrypted.

This makes them vulnerable to interception by malicious actors who have gained access to the communication channel, such as through a man-in-the-middle attack or by exploiting vulnerabilities in the cellular network infrastructure.

Intercepted SMS messages containing OTPs can potentially compromise the user's account or system access.

SIM Swapping and SIM Cloning Attacks

One of the most significant threats to SMS authentication is SIM swapping and SIM cloning attacks. In a SIM swapping attack, a malicious actor convinces a cellular operator to switch a victim's mobile number to a new SIM card that is under the control of the attacker.

This gives the attacker the ability to receive any SMS messages that were meant for the victim, including authentication codes. SIM cloning involves creating a duplicate of a victim's SIM card, enabling the attacker to receive the same SMS messages as the victim.

These attacks can be facilitated through social engineering techniques, such as phishing or vishing (voice phishing), where attackers trick cellular provider employees into transferring the victim's number or obtaining personal information to impersonate the victim.

Signalling System 7 (SS7) Vulnerabilities

The Signalling System 7 (SS7) protocol is a fundamental component of modern telecommunication networks, responsible for routing calls, texts, and other data between different networks.

However, vulnerabilities in the SS7 protocol have been discovered and exploited by attackers, allowing them to potentially intercept SMS messages or even track the location of a device.

Social Engineering and Phishing Attacks

SMS authentication is also susceptible to social engineering attacks, such as phishing or smishing (phishing via SMS). In these attacks, malicious actors attempt to trick users into revealing their authentication codes by impersonating legitimate services or organisations.

Users may inadvertently disclose their authentication codes, compromising the security of their accounts or systems.

Lost or Stolen Devices

An attacker can gain access to SMS authentication codes on a lost or stolen mobile device, compromising account or system security. This vulnerability is exacerbated by the lack of encryption and the ability to intercept SMS messages remotely, even if the device itself is not physically accessed.

Cost and Scalability Considerations

While SMS authentication can be cost-effective for smaller organisations or those with a limited user base, the cost of sending large volumes of SMS messages can become significant as an organisation's user base grows.

Additionally, SMS delivery can be unreliable in certain regions or during network congestion, potentially causing delays or failures in authentication processes, leading to frustration and reduced user experience.

Dependence on Cellular Network Infrastructure

SMS authentication relies heavily on the cellular network infrastructure, which can be susceptible to outages, service disruptions, or other technical issues. If the cellular network is unavailable or experiencing problems, users may be unable to receive authentication codes, effectively locking them out of their accounts or services until the issue is resolved.

Alternatives to SMS Two-Factor Authentication

1. FIDO2 (WebAuthn): Uses public-key cryptography for phishing-resistant authentication without passwords or SMS codes.
2. Mobile Authenticator Apps: Generate time-based codes independently of cellular networks, reducing interception risks.
3. Biometric Authentication: Leverages unique physiological traits like fingerprints or facial recognition.
4. Email-based Authentication: Sends codes to registered email addresses, potentially more secure than SMS.
5. Push Notifications: Prompt users to approve logins on their mobile devices, eliminating shared secrets.
6. Security Keys and Hardware Tokens: Physical devices generating OTPs or providing cryptographic authentication.

SMS Authentication Best Practices

1. Risk-Based Approach: Use SMS authentication for low-risk scenarios and stronger methods for sensitive transactions.
2. Multi-Factor Strategy: Combine SMS with other factors like biometrics or security keys to mitigate weaknesses.
3. User Education: Educate users on risks like sharing codes or responding to phishing attempts.
4. Continuous Monitoring: Stay informed about emerging threats and update strategies accordingly.
5. Additional Controls: Implement device fingerprinting, IP restrictions, or geolocation checks for added security.
6. Incident Response: Have plans to revoke credentials, notify users, and prevent further exploitation in case of breaches.

Conclusion

While providing an additional security layer beyond passwords, SMS authentication is widely considered a weak form of authentication due to its vulnerabilities. Organisations should carefully assess their specific risks, security requirements, and user experience needs when deciding whether to implement SMS authentication.

For applications or services handling sensitive or high-value data, it is recommended to adopt more secure alternatives like FIDO2, mobile authenticator apps, or biometric authentication.

As a more secure alternative to SMS-based 2FA, InstaSafe offers a strong option that businesses can utilise.

Our Multi-Factor authentication combines with authentication factors like biometrics, push notifications, and security keys to mitigate the vulnerabilities associated with SMS authentication.

Frequently Asked Questions(FAQs)

1. Is SMS authentication secure?

While SMS authentication adds an extra layer of security on top of passwords, SMS authentication is widely considered a weak form of authentication due to vulnerabilities like lack of encryption, SIM attacks, and susceptibility to social engineering.

2. Is SMS texting more secure than authentication apps?

No, authentication apps that generate time-based codes independently of cellular networks are generally considered more secure than SMS texting, which is vulnerable to interception and SIM-related attacks.

3. What is the problem with SMS authentication?

The main problem with SMS authentication is its reliance on the cellular network infrastructure, which is susceptible to various attacks like SIM swapping, SS7 vulnerabilities, and lack of end-to-end encryption.