twitter logo linkedin logo facebook logo

Switching to Multi-Factor Authentication? Beware of SMS as the additional factor…

MIRACL International Limited

Switching to Multi-Factor Authentication? Beware of SMS as the additional factor

The Rise of Multi-Factor Authentication

The world is slowly but surely saying goodbye to its reliance on a single password to protect our digital lives. According to Verizon’s Data Breach Report, password abuse is still responsible for 70% of all hacks and there is broad consensus that the use of Multi-Factor Authentication (MFA) would prevent 99% of those breaches.

For these reasons, MFA has become commonplace in the office and now that Google and Salesforce are requiring all incoming traffic to authenticate with two or more factors (as of Feb 2022), other cloud applications, including consumer-facing ones, will surely follow. Authentication is no less important for consumer applications as they face a strong imperative to safeguard accounts and customers’ privacy in line with GDPR and the many other fast emerging privacy standards (CCPA in the US, PIPL in China, LGDP in Brazil, POPI in South Africa, NDPR in Africa etc).

So, the race to adopt MFA and passwordless login in the consumer space is now on but careful consideration is needed because consumer-facing applications have very different requirements to enterprises, for example, in terms of user experience and privacy.


The most common solution for MFA to consumers is SMS 2FA. It is responsible for over 55% of all MFA logins and does not require the user to download and configure an additional authenticator app. However, there is growing evidence that SMS for authentication is basically broken so operators need to think carefully.

What are the Security issues with SMS 2FA?

SMS was only ever designed to deliver a message, not a secret. As such, it has always been relatively vulnerable to compromise because it is an unencrypted ‘plain-text’ message (the standard, GSM 03.40, is not encrypted) coming from an unknown, unverifiable sender that could easily be spoofed. The one-time code supplied is frequently available on a device’s locked screen or can be captured via social engineering. However, the risk of SIM-swapping has recently grown significantly due to breaches of mobile carrier’s customer data, such as the one that occurred recently involving all 53m of T-Mobile’s customers. Armed with all of a users’ personal data, impersonation is easy.

What are the User Experience issues with SMS 2FA?

Studies show that apart from security, what users value most in an authentication method is speed. SMS 2FA is slow because it requires so many processes to occur; accessing a mobile (assuming a user is on a separate device), waiting for the SMS (this may require moving to where cell coverage is available), accessing the messaging app, selecting the message, recalling the 6 digit code, selecting the window in which this needs to be entered etc. This may take as long as 30 to 60 seconds, more if cell coverage is poor.

Moreover, because there are so many critical processes to SMS 2FA, failure is commonplace. Users fail to enter the 6-digit code correctly, an SMS message is delayed on the network or perhaps a user is just distracted during the wait. Data shows that typically 10 to 15% of inbound users fail to authenticate on their first attempt when using SMS 2FA. This effectively renders it unviable for any discretionary consumer-facing service for which an alternative is readily available.

Has SMS 2FA kept pace?

30 years old, SMS 2FA is the oldest form of multi-factor authentication but has it kept pace? Certainly, in the last 5 years the number of endpoint devices has grown rapidly, particularly as the pandemic has had almost all employees using their own device. In a Zero Trust environment, in which reauthentication is required 6 or 8 times per day, that can add up to a lot of messages. Okta recently revealed that its SMS authentication traffic increased 1,000% in the pandemic. But that increases both an inconvenience in having to refer back to the mobile each time a device is asked to authenticate plus a significant amount of employee time and cost.

What about situations where access to a mobile phone is not possible because of the potential security risk from un-policed phone lines or cameras being used to capture information? For shop floor assistants, medical staff in theatre, staff in laboratories or on trading floors access to a mobile phone is not possible. SMS 2FA is clearly of no use in these instances yet with the growing use of cloud-based applications, there is a real requirement for secure authentication.

Ten years ago, cloud-based services we’re the small minority of users’ authentications. Not so today. The attack vectors hackers can use in cloud environments are very different and SMS 2FA simply offers no protection.

Historically, authentication was treated simplistically as a binary outcome. Now consideration is given to the different gradation of risk that may necessitate an operator requiring additional steps from a user to complete a ‘step-up’ authentication where security is particularly important. SMS 2FA does not meet that need.

How has SMS 2FA failed and caused breaches in the past?

One example of a network breach occurred in Germany which exploited vulnerabilities in the Signaling System 7 protocol – the magic glue used by cell-phone networks to communicate with each other. These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. This technique was deployed against O2-Telefonica in Germany which had some of its customers’ bank accounts drained using a two-stage attack that exploited SS7.

Social engineering was used by hackers against a Philippines senator by sending a text alert of a request to change his phone number from the credit card company. Since the senator was presiding over a known committee hearing, he had no time to check his phone from 2:00 PM to about 5:00 PM and in that time the hacker managed to change his number. When an OTP (one-time PIN) was sent to confirm a purchase of $25,000, the hacker confirmed them and the senator was oblivious until the credit card company advised the senator of the transactions.

Malware nicknamed ‘TrickBot’ was incorporated into an Android app that can bypass some of the two-factor authentication (2FA) solutions employed by banks. The app, which security researchers from IBM named TrickMo, works by intercepting one-time (OTP) codes banks send to users via SMS or push notifications. TrickMo collects and then sends the codes to the TrickBot gang’s backend servers, allowing the crooks to bypass logins or authorise fraudulent transactions.

Is SMS 2FA costly?

Despite the fact that it requires no licence cost and support cost is relatively low, depending on geography, SMS 2FA can be the most expensive authentication option. In Europe, AWS starts at approximately 4c for an SMS but declines to approximately 1c with large scale. These costs are approximately halved in the US and are even lower in India. However, the costs of cross-border SMS, can be 3 times the cost of domestic messaging. Since cross-border traffic is the fastest growing component of most operators, the costs can easily rack up.

In summary, SMS 2FA is now 30 years old and is no longer fit for purpose as an authentication tool. Security flaws have resulted in costly and damaging breaches but SMS 2FA’s shortcomings also extend to the user experience and consumers’ need for minimised friction in their online purchasing journey.

Happily, cryptography and cybersecurity has evolved. MIRACL provides website and app operators with passwordless multi-factor authentication that breaks new ground being both fast and easy to use while also maximising users’ privacy and security. Learn more about the features here or get in touch for a demo here.

Get the MIRACL memo in your inbox

Get in touch to learn more

You can opt out at any time. See our privacy policy here.