Why should I use SMS for authentication?


Perhaps one of the most widely used methods by digital consumer services in digital registration processes, Business SMS has been at the center of few hacking cases. The SMS “deprecation” (now softened to “restricted” by NIST – National Institute of Standards and Technology in the United States) has led many enterprises to back away from it. Indeed, SMS alone may be vulnerable to man-in-the-middle attacks and one-time password (OTP) interception. However, there are two main reasons why enterprises stick with SMS:

  • To discontinue email-based authentication or use it as a complement to email.
  • To keep 2FA user-friendly, as using SMS does not require an app download, a smartphone or data connection.

There is no doubt that there are a few issues with SMS in authentication scenarios. However, most people see the use of OTP messages in isolation. When SMS is used as part of a comprehensive verification and authentication solution, the scenario becomes something more positive altogether. For instance:

  • The combined use with context-based solutions, such as phone intelligence to identify suspicious activity — like phone numbers used from locations where fraud is rife.
  • The proactive monitoring of SIM activity to detect potential SS7 attacks, SIM swaps and spoofing.
  • The proactive use of SMS alerts to communicate with users in case suspicious activity has been detected.
  • The provision of contextual information to users within the OTP message, which may include: the company ID, purpose (account access? password reset?), transaction amount and payee information (as required by the Payment Services Directive 2, or PSD2, an EU payment regulation)

In addition, there are a few other best practices that may increase security in two-factor authentication:

  • Messages should be programmed to expire quickly (e.g. 10 minutes)
  • The use of SMS to send secure links, not just OTPs. This could be an option to dodge fraudsters
  • The use of high-quality routes, backed by reliable operator connectivity. In most cases, hackers are able to intercept OTPs from low-quality SMS routes.
  • The combination with other authentication methods for use cases that require stronger security, such as push notifications and biometrics.

When used wisely, SMS (and voice, as a fallback) can step up to higher grades of security, and enable enterprises to combine usability and strong two-factor authentication. SMS is certainly not perfect, but none of the other authentication methods is. To increase security, it is essential to keep the authentication process user-friendly.

Find out more in our Authentication product page.