What is SMS 2FA?
Companies and customers have long realised that passwords alone won’t keep their accounts safe. It takes a hacker an average of two seconds to break a password that uses only numbers, and with 83% of Americans using weak passwords, it’s clear that we need tighter security for authentication. That’s where some companies opt for SMS 2FA. It’s the most widely used multi-factor authentication (MFA) method at present.
How does SMS authentication work?
The method is straightforward. Once the user has signed in, they receive a text message with a time-sensitive SMS authentication code. The user must type in that code on the app or website to access their account. SMS 2FA is a so-called possession-based factor, meaning it verifies a user’s identity with something they own (in this case, a smartphone). Hackers would need the login details and the physical device to get access to the user’s account. That’s the theory- but this method has its limitations.
Is SMS 2FA safe?
The SMS 2FA method itself is simple, so users don’t have to be tech-savvy to use it. There are no apps to download or codes to scan. And with people having to remember an average of 10 passwords a day, any authentication method that lightens the mental load has a competitive advantage.
But SMS 2FA is cumbersome: 30% of users don’t have their phones with them when trying to log in. Since some codes only last a few seconds, users often need to resend the code and start all over again, or copy the code down incorrectly and fail the login process altogether That adds unnecessary time to the process and is prone to user error. It can increase friction and in the case of e-commerce lead to cart abandonment.
Then, there’s the issue of data safety. SMS 2FA is safer than passwords alone and will protect your data to a certain extent. And yet, it is not foolproof. Consider the infamous Twitter hacks that happened even though users had SMS 2FA activated. Even Twitter’s former CEO, Jack Dorsey, was hacked in the past. In his case, hackers worked with staff from the phone company to have the codes transferred to the hacker’s SIM card. How did that happen? One reason lies in the backbone of today’s telecommunication.
More recently, Twitter changed its policy on SMS-based two-factor authentication, limiting its use to premium members only. Twitter’s new CEO, Elon Musk, says SMS bills were costing Twitter $60 million dollars a year, and were too easily abused by scammers.
Watch CEO Rob Griffin break down the costs and assumptions behind Twitter’s move to pay for SMS.
The weak link in SMS 2FA
In 1975, AT&T developed SS7/C7, and the International Telegraph and Telephone Consultative Committee adopted it in 1980 as a worldwide standard. All the telecom infrastructure around the world relies on this Signaling System 7 telephony protocol (SS7). Telecom networks use it to communicate between themselves, begin and end calls and perform services like SMS. The problem is that SS7 is primarily based on trust- any received request is considered legitimate, and the telecom will most likely accept it. That makes SS7 vulnerable. An experienced hacker can exploit these vulnerabilities, intercept a text message and gain access to user accounts.
Then, there’s SIM swapping, a real danger when it comes to SMS 2FA. Hackers contact the phone company, convincing them to transfer the authentication details to another SIM card- their own. Usually, they have collected personal information about the victim beforehand, so the phone company doesn’t pick up on the scam.
Why is SMS not good for MFA?
Codes can appear on your phone’s preview screen, accessible by anyone next to the phone, even when it’s locked. And there are the SMS messages themselves. As they’re sent in clear text, they’re not secure.
More than that: entering a code on a web page introduces the potential for a man-in-the-middle (MITM) attack. They make up to 35% of all cybersecurity attacks, and it isn’t easy to protect yourself against them. SMS 2FA can’t eliminate that risk.
Personal data and convenience
SMS 2FA uses your personal data for authentication. The company’s server needs to store your mobile phone number on its server for a seamless authentication process.
Then, there’s convenience. 30% of people don’t have a mobile with them when they log in via a different device. Usually, they only have 10 seconds to use the SMS authentication code, so if they can’t get their hands on their smartphone in that time, they must repeat the process.
Last, SMS authentication is very expensive. Companies have to pay for every SMS message delivered to their user, and messages often cost over three pence in the EU, over three pence in the UK, and even more internationally, resulting in monthly five-digit and six-digit bills. Putting Twitter’s case to the test, we calculated that Twitter could be spending up to $37 per user per year on SMS 2FA!
Why you should abandon SMS 2FA and use Single-step MFA
Multi-step multi-factor authentication is a hassle, unreliable and costly. Compare that to MIRACL Trust, the world’s fastest single-step MFA. Taking less than two seconds, you simply enter your PIN and you’re in. The process is much more secure than SMS 2FA or any other MFA solution and our login success rate is as high as 99.997%, higher than any other MFA in the industry or passwords alone.
With all competing systems that are either dependent on a mobile app or an SMS text message, the time it takes to authenticate a login takes between 20 and 50 seconds. In a world in which consumers have an 8-second attention span, it is not hard to see how a faster authentication results in more lucrative customer journeys.
Our zero-knowledge proof protocol eliminates vulnerable password databases from the authentication process. That way, you’re not only protected from man-in-the-middle attacks but also replay, credential stuffing, password spraying and phishing.
MIRACL is cloud-based so that you can use it from anywhere and is independent of your own system. Even better, we don’t save personal data, so your customers’ and companies’ privacy is protected. Our prices are one-tenth of other multi-factor authentication processes. MIRACL is also PSD2 compliant, so your security authentication is guaranteed no matter the country.
Discover how MIRACL could improve your login success rate and customer satisfaction. Book a demo to explore MIRACL’s user-friendly authentication technology including live demonstrations on both mobile and desktop.