SMS Two-Factor Authentication is Alive and Kicking

Upon hearing rumors he had died, author Mark Twain is said to have quipped to a newspaper: “Reports of my death have been greatly exaggerated.”

Keep this quote in mind if you come across articles claiming that authentication apps are going to consign SMS two-factor authentication (2FA) to history.

Far from dying off, SMS will be confirming online identities across the world for many years to come.

In fact, you can bet on its usage growing – fast.

Ease and simplicity

First of all, let’s be clear about one thing. No form of online security is absolutely secure.

Using dual authentication techniques (for example, a password and a passcode sent to your phone) is far more secure than one-factor authentication (a single password).

So concluding that flaws in the SMS authentication system render it redundant is a huge leap of logic.

The reality is that people everywhere – including a reported 90% of Gmail users – are still leaving themselves wide open to fraud by securing important online accounts with a single password only.

They’re failing to take up the option of 2FA for reasons including: the hassle involved, the unfamiliarity of the technology, or because they underestimate the threat to their accounts and applications.

So, to ensure as many of the reluctant masses as possible protect themselves, an uber-simple and accessible 2FA method is needed.

That’s where SMS comes in.

The rise of authentication apps

SMS 2FA is a beautifully simple system because almost everyone has a mobile phone and almost everyone uses their text inbox. To receive passcodes via SMS, you only need to tick a permission box.

Authentication apps are another excellent option for businesses and consumers that are serious about security. They generate unique passcodes, which must be entered as part of a log-in process.

But authentication apps have a downside. If a business wants people to use an authentication app, it must first persuade them to download it. This is a small but significant barrier in itself.

Additionally, the user must undergo a security process to enter their details and confirm their identity (which often includes being sent an SMS 2FA code through their phone). And there’s real inconvenience if you ever change phones, as you have to update authentication details on all your apps.

The reality is that many organizations will struggle to persuade large numbers of users to do this – as evidenced by the low adoption rate of Gmail users who have access to a ready solution in the form of Google’s own Authenticator app. You can put this assertion to the test yourself. Conduct an online poll among your friends or colleagues. How many of them use an authentication app? How many of them are planning to use one?

Network security is all about managing risk and finding solutions that are “sticky”. SSL web-browsing has risks, but it has boosted online security because it’s conveniently built into web browsers. And therein lies the beauty of SMS 2FA: it’s easy and accessible, and it’s far safer than relying on a one-factor password process. You don’t ignore car seat belts because they can’t protect you from every sort of crash. You use them and look for other ways to keep yourself safe as well – airbags for example.

SMS 2FA is dead…long live SMS 2FA

So what are the security issues with SMS?

A few years ago, just as SMS 2FA was taking off, a flaw in the system came to light. Attackers worked out they could call a mobile network provider claiming to be a customer, then persuade the operator to port that customer’s number onto a new SIM card. This meant an attacker could receive a customer’s SMS messages on a new SIM – including any 2FA alerts.

Fortunately, this process lapse has been largely fixed. Now all major network providers insist that customers prove their identity before accessing their account.

But, there’s also the rare incidence of attacks on the SS7 system to consider. SS7 is a set of protocols that allows phone networks to exchange information with each other. Sophisticated attackers can potentially access the SS7 system. If they also have a target’s username and password, they can then reroute text messages for that person’s number.

Fortunately, these types of attacks are incredibly rare and difficult to pull off. Unless attackers are going after extremely high-value individual targets, they’re highly unlikely to go to all the trouble of both entering the SMS network and getting hold of usernames and passwords.

What’s more, operators across the world have woken up to the SS7 threat and have been installing firewalls to protect the network over the past few years.

Official backing for SMS 2FA

In 2016, the US’s National Institute of Standards and Technology (NIST) – one of the most influential authorities on online security in the world – created a draft of its annual publication, which questioned the effectiveness of SMS 2FA based on SS7 vulnerabilities.

This led to many headlines announcing the demise of SMS 2FA. But, following further investigations, NIST experts revised their decision. The final version of the guidelines specifically recommended SMS as an effective 2FA measure, while discounting email or VoIP channels because they don’t “prove possession of a specific device”.

In short, SMS has been found by NIST to improve security exponentially without creating barriers for employees and customers to overcome. It can be rolled out to thousands of users at lightning speed, and it’s incredibly cost-effective. For these reasons, it’s likely to remain the most widely-used and effective 2FA tool for organizations and their stakeholders.

Reports of the death of SMS 2FA are, indeed, greatly exaggerated.

Mar 6th, 2019
4 min read