In 2016, the National Institute of Standards and Technology, issued guidance that found SMS insecure and unsuitable for strong authentication. Since then, it is discussed whether or not SMS should be used in 2 factor authentication (2FA). We think it should, and here is why.
What are the benefits of using SMS in 2FA?
SMS is one of the traditional factors used in 2FA (2 Factor Authentication). This channel was chosen because it is convenient for the receiver, as everyone has a phone in their pocket nowadays. It is also easy and fast to provision for the sender, without forgetting the low cost of that channel. So, what are the potential issues with SMS?
What is the criticism around SMS in 2FA?
Is the message actually delivered to the right person?
Well, first of all, people argue that SMS does not fill all requirements of 2FA. The 2 factors verified with 2FA are something the user knows and something the user owns. Usually, “something the user knows” will be a password. The SMS is there to verify “something the user owns”. And the fact is that a phone can be lost and even replaced. SMS can also be received through other media, such as tablets or online thanks to VoIP.
While being true, it is also a rare situation. With SMS in 2FA, the text message arrives almost immediately on the user’s phone. It is unlikely that the user would lose their phone right when you are sending them an SMS. Or that someone else receives it on another device and misuses it.
The protocol used to send SMS is obsolete
A second recurrent argument is the safety of the network. The SS7 protocol, which allows telecom networks to communicate with each other, has weaknesses. Hackers have found ways to compromise its security. In some cases, providers are also able to read text messages sent.
Again, this argument is true but also a rare case. SMS can be hacked, similar to email, but the probability that this happens the moment your user logs in using 2FA is low. Also, networks in the European Union and North America are generally considered safe. Security holes are often detected in Africa and Asia.
What are the current alternatives to SMS in 2FA?
Most popular alternatives to SMS are OTP devices and mobile applications. Using an OTP device is a safe way to go, but it implies you need to provide the device to all users. This will increase your 2FA implementation costs. It can also become difficult to manage when you have many new users that need to receive their device. And less fluid, as the user will not be able to log in immediately the first time. There is also a risk of losing the device, which usually will not be declared lost and replaced until the next time the user needs it. Phones, on the other hand, will be replaced immediately by the user if lost.
A mobile application to send OTP works the following way: a cryptographically signed OTP is sent to a mobile device through an app. This allows to avoid the vulnerabilities listed above, but presents other disadvantages. If a phone with such an app gets hacked, it can generate OTPs without the owner knowing. If the hacker uses SMS in 2FA, this will be more visible and discovered earlier.
Do you need to change your 2FA for more security?
Perhaps the most important question is: do you need to improve your security by stopping to use SMS in 2FA? Before making tremendous and costly changes, you should make an assessment of your current situation. What do you use 2FA for? What budget do you have to implement changes?
If the transaction connections you secure with an OTP are of very high value, you could consider a more secured 2FA. For all other connections, the investment will likely be too big compared to the gains in security. As explained above, the probability that a hacker intercepts an OTP in an SMS is low.
So, should you stop using 2FA in general then? We would not recommend it. A user will re-use his passwords on several websites, no matter how often you make them change their password. Passwords remain one of the most hacked elements and it cannot be considered safe to use it alone.
See it this way: having a user and password combination will raise security to 20 on a scale of 100, where 100 is un-hackable. Using SMS in 2FA will raise that number to 75 out of 100 for a relatively small investment. Securing connections with another method will maybe increase that number to 85, but will require a large investment. SMS seems like a good average for most connections your company may need to secure.