Here’s why you should not use SMS-based two-factor authentication

March 30, 2017

Instagram recently pushed out their two-factor authentication update. Even though this is a step toward the right direction, it was a slight disappointment to realize that their strong authentication method is based on SMS.

America’s National Institute for Standards and Technology (NIST) advised the abandonment of SMS-based two-factor authentication already in July 2016. According to NIST, companies that implement new systems should consider alternative authenticators, because of the risk that SMS messages or voice calls may be intercepted or redirected.

What has happened after the NIST advise? Well, frankly, no dramatic change has yet taken place. As Instagram’s update shows, companies are still adopting SMS 2-factor authentication. The good news is that companies seem to be less interested in SMS authentication than before.

What is wrong with SMS authentication?

SMS authentication was initially developed to fight phishing attacks and Trojans. But as hackers evolved with the times they found ways to get through. Hackers are in fact now using SMS for phishing account information. As some banks use SMS for communication, customers can get confused and fooled by the criminals.

The security of SMS authentication relies on the security of cellular networks, and with attacks against Global System for Mobile Communications (GSM) and 3G networks, the confidentiality of text messages cannot be assured. Some vulnerabilities were discovered already in 2013 and more threats have appeared since then. SIM swap attacks have grown common enough for New York State to issue an official warning.

And if that wasn’t enough, SMS messages are stored as plaintext by the short message service center (SMSC) before delivering them to the recipient. These messages could be viewed or modified by users in the SMSC who have access to the messaging system.

Is SMS authentication technically even two-factor authentication?

NIST states that SMS does not always prove possession of something you have, and therefore may not be an appropriate second factor. The idea of two-factor authentication is to test someone’s identity based on something they know (like a password) and something they have (like their phone or another device). SMS turns ‘something you have’ into ‘something they sent you”.

What should you do?

There’s no denying that SMS remains vulnerable to many variations of hack attacks. Companies should use other authentication methods, simply because there are better alternatives available. Some banks and services are aware of the risks related to SMS authentication and do not use it. If possible, it is recommended that you install a bank app (or some other app) to avoid the possibility of receiving fraudulent SMS messages.

As a reminder, MePIN does not use SMS messaging as the main authentication channel due to the known vulnerabilities of the method. MePIN secures mobile apps and enables them to become a security token for logins and transactions. As for communication, MePIN has created a secure channel inside the app to fit for this purpose. With MePIN, services can have a secure way of authenticating the users and engaging with them without spamming or risking security.