What is SMS Authentication?

Short message service (SMS), also known as text messaging, is something you may use every day with your friends and colleagues. Texts sent to your phone can be forwarded or synced with other devices to make sure you never miss a message. SMS can also be used to authenticate a user's identity. Let's look at how SMS authentication works and whether it is secure.

Presenting users with multiple options to verify their identity helps reduce fraud and defend against bad actors. Passwords are the least secure authentication method and can be guessed, stolen or bought on the dark web, so they need to be reinforced. SMS authentication is not typically used as a primary or sole authentication method, but it's commonly used as the second authentication factor in two-factor authentication (2FA) and multi-factor authentication (MFA).

Authentication types are broken out into three main categories, with SMS authentication falling under the Possession factor:

• Knowledge - Something you know. This includes passwords, a PIN (personal identification number), or answers to security questions.

   

• Possession - Something you have. This includes smartphones, mobile devices, security tokens, key fobs and other devices that can either generate or receive one-time passwords (OTPs) or codes.

   

• Biometric - Something you are. This is a physical trait, like a fingerprint or face, that can be scanned for authentication.

A one-time password (OTP) is created using an algorithm and sent via text message to a phone number associated with the user. This automatically generated sequence of characters (letters and/or numbers) is valid for a single login session or transaction.

The user copies the OTP to an authentication window that verifies the code with the authentication server to ensure there is a match. If SMS authentication is the final verification method required, the user can now access their account and associated resources. If a third authentication factor is required for multi-factor authentication (MFA), as may be the case for high-value transactions or logins from suspicious IP addresses, access will only be granted after the third proof of identity is provided.

There are two main types of one-time passwords (OTPs) used as SMS authentication codes. Both use algorithms to generate a new, random code every time a password is requested. Because users do not create these passwords and reuse them on multiple accounts, compromised OTPs have less value to bad actors than traditional passwords.

• Time-based one-time password (TOTP) uses time as a moving factor, with passwords typically expiring within 30-240 seconds. If there is a delay in the user receiving a TOTP, such as a slow connection, the TOTP may expire before it can be used and a new one will need to be requested.

   

• HMAC-based one-time password (HOTP) is an event-based password that uses a counter as the moving factor instead of time. HMAC stands for hash-based message authentication code. HOTPs can stay valid for a longer period of time because they aren't time-based.

SMS codes can only be used once, making them more secure than passwords. Even so, determined bad actors can still breach a network that uses SMS authentication. For example, hackers used a flaw in Coinbase's account recovery process to get the SMS two-factor authentication token to break into 6,000 customer accounts and transfer funds out of them. They also had access to the email address, password and phone number associated with each account, which may have been stolen through a phishing scheme.

SMS vulnerabilities that can be exploited include:

• SMS messages are sent in clear text and viewable on the user's screen, even a phone's preview screen when the phone is locked.
• SIM swapping is used to fraudulently convince a wireless carrier to assign a phone number to a new SIM card. SIM cards can also be cloned and used in different phones.
• A Signaling System 7 (SS7) attack can be used to intercept text messages.
• Man-in-the-middle attacks can hijack inbound SMS codes or intercept the code being entered on a web page.
• Devices that receive SMS, including phones, tablets and laptops, can be stolen.

For these reasons, SMS authentication is usually combined with other authentication factors to make it more secure.

Enterprises have to balance convenience and security when deciding which authentication methods to use. This is especially true with customers, who want a seamless and frictionless experience, while also expecting enterprises to keep their accounts and data secure. Frustrated customers can give up and use a competitor after a bad experience.

Since people who have mobile devices are typically familiar with text messages, the learning curve for receiving messages is not as steep as other methods, but users will have to become familiar with the associated authentication windows. There are some additional challenges with SMS authentication, including:

• If it takes too long for the text to arrive, a time-based passcode (TOTP) can expire before use, or users may get frustrated and abandon the experience.
• OTPs can be hard to memorize and are easily mistyped if cut and paste isn't an option.
• A user may have to close a web browser, open an SMS app, copy the OTP, then reopen the web browser, adding too much friction to the process.

There are alternative ways for users to receive OTPs, including mobile-based authenticator apps offered by Ping, Google and Microsoft. To learn more about different forms of authentication, read our Ultimate Guide to Authentication.