twitter logo linkedin logo facebook logo

MIRACL Trust vs SMS Comparing 2-step MFA with 1-step MIRACL Trust.


What is SMS 2FA? 

Companies and customers have long realised that passwords alone won’t keep their accounts safe. It takes a hacker an average of two seconds to break a password that uses only numbers, and with 83% of Americans using weak passwords, it’s clear that we need tighter security for authentication. That’s where some companies opt for SMS 2FA. It’s the most widely used multi-factor authentication (MFA) method at present. 

How does SMS authentication work? 

The method is straightforward. Once the user has signed in, they receive a text message with a time-sensitive SMS authentication code. The user must type in that code on the app or website to access their account. SMS 2FA is a so-called possession-based factor, meaning it verifies a user’s identity with something they own (in this case, a smartphone). Hackers would need the login details and the physical device to get access to the user’s account. That’s the theory- but this method has its limitations. 

Is SMS 2FA safe? 

SMS 2FA has its advantages. The method itself is simple, so users don’t have to be tech-savvy to use it. There are no apps to download or codes to scan. And with people having to remember an average of 10 passwords a day, any authentication method that lightens the mental load has a competitive advantage. 

But SMS 2FA is cumbersome: 30% of users don’t have their phones with them when trying to log in. Since some codes only last a few seconds, you often need to resend the code and start all over again. That adds unnecessary time to the process and is prone to user error. It can increase friction and in the case of eCommerce, lead to cart abandonment. 

Then, there’s the issue of data safety. SMS 2FA is safer than passwords alone and will protect your data to a certain extent. And yet, it is not foolproof. Consider the infamous Twitter hacks that happened even though users had SMS 2FA activated. Even Twitter’s CEO, Jack Dorsey, was hacked in the past. In his case, hackers worked with staff from the phone company to have the codes transferred to the hacker’s SIM card. How did that happen? One reason lies in the backbone of today’s telecommunication. 

In 1975, AT&T developed SS7/C7, and the International Telegraph and Telephone Consultative Committee adopted it in 1980 as a worldwide standard. All the telecom infrastructure around the world relies on this Signaling System 7 telephony protocol (SS7). Telecom networks use it to communicate between themselves, begin and end calls and perform services like SMS. The problem is that SS7 is primarily based on trust- any received request is considered legitimate, and the telecom will most likely accept it. That makes SS7 quite vulnerable. An experienced hacker can exploit these vulnerabilities, intercept a text message and gain access to user accounts. 

Then, there’s SIM swapping, a real danger when it comes to SMS 2FA. Hackers contact the phone company, convincing them to transfer the authentication details to another SIM card- their own. Usually, they have collected personal information about the victim beforehand, so the phone company doesn’t pick up on the scam. 

Why is SMS not good for MFA?

Codes can appear on your phone’s preview screen, accessible by anyone next to the phone, even when it’s locked. And there are the SMS messages themselves. As they’re sent in clear text, they’re not secure. 

More than that: entering a code on a web page introduces the potential for a man-in-the-middle (MITM) attack. **They make up to 35% of all cybersecurity attacks, and it isn’t easy to protect yourself against them. SMS 2FA can’t eliminate that risk. **

Personal data and convenience

SMS 2FA uses your personal data for authentication. The company’s server needs to store your mobile phone number on its server for a seamless authentication process. 

Then, there’s convenience. 30% of people don’t have a mobile with them when they log in via a different device. Usually, they only have 10 seconds to use the SMS authentication code, so if they can’t get their hands on their smartphone in that time, they must repeat the process. 


Last, SMS authentication is very expensive. Companies have to pay for every SMS message delivered to their user. That can result in monthly five-digit and six-digit bills to operate.

Should I use 2-Step SMS or Single-Step MFA? 

Multi-step multi-factor authentication is a hassle. MIRACL Trust is the world’s only single-step MFA. You enter your PIN and you’re in. The process takes two seconds and is much more secure than SMS 2FA or any other MFA solution. 

First, our zero-knowledge proof protocol eliminates vulnerable password databases from the authentication process. That way, you’re not only protected from man-in-the-middle attacks but also replay, credential stuffing, password spraying and phishing.

MIRACL is cloud-based so that you can use it from anywhere and is independent of your own system. Even better, we don’t save personal data, so your customer’s and companies' privacy is protected. Our prices are one-tenth of other multi-factor authentication processes. MIRACL is also PSD2 compliant, so your security authentication is guaranteed no matter the country. 

Curious if MIRACL would fit your needs? Schedule a demo here or get in touch with any questions here.