a good thing!
Short message service (SMS), also known as text messaging, is something you may use every day with your friends and colleagues. Texts sent to your phone can be forwarded or synced with other devices to make sure you never miss a message. SMS can also be used to authenticate a user's identity. Let's look at how SMS authentication works and whether it is secure.
Presenting users with multiple options to verify their identity helps reduce fraud and defend against bad actors. Passwords are the least secure authentication method and can be guessed, stolen or bought on the dark web, so they need to be reinforced. SMS authentication is not typically used as a primary or sole authentication method, but it's commonly used as the second authentication factor in two-factor authentication (2FA) and multi-factor authentication (MFA).
Authentication types are broken out into three main categories, with SMS authentication falling under the Possession factor:
A one-time password (OTP) is created using an algorithm and sent via text message to a phone number associated with the user. This automatically generated sequence of characters (letters and/or numbers) is valid for a single login session or transaction.
The user copies the OTP to an authentication window that verifies the code with the authentication server to ensure there is a match. If SMS authentication is the final verification method required, the user can now access their account and associated resources. If a third authentication factor is required for multi-factor authentication (MFA), as may be the case for high-value transactions or logins from suspicious IP addresses, access will only be granted after the third proof of identity is provided.
There are two main types of one-time passwords (OTPs) used as SMS authentication codes. Both use algorithms to generate a new, random code every time a password is requested. Because users do not create these passwords and reuse them on multiple accounts, compromised OTPs have less value to bad actors than traditional passwords.
SMS codes can only be used once, making them more secure than passwords. Even so, determined bad actors can still breach a network that uses SMS authentication. For example, hackers used a flaw in Coinbase's account recovery process to get the SMS two-factor authentication token to break into 6,000 customer accounts and transfer funds out of them. They also had access to the email address, password and phone number associated with each account, which may have been stolen through a phishing scheme.
SMS vulnerabilities that can be exploited include:
For these reasons, SMS authentication is usually combined with other authentication factors to make it more secure.
Enterprises have to balance convenience and security when deciding which authentication methods to use. This is especially true with customers, who want a seamless and frictionless experience, while also expecting enterprises to keep their accounts and data secure. Frustrated customers can give up and use a competitor after a bad experience.
Since people who have mobile devices are typically familiar with text messages, the learning curve for receiving messages is not as steep as other methods, but users will have to become familiar with the associated authentication windows. There are some additional challenges with SMS authentication, including:
There are alternative ways for users to receive OTPs, including mobile-based authenticator apps offered by Ping, Google and Microsoft. To learn more about different forms of authentication, read our Ultimate Guide to Authentication.