Should I Implement SMS Authentication?
By Quan Nguyen
June 25, 2021
Passwords are terrible at verifying identities. Computers cannot differentiate who is typing an alphanumeric password, so anyone with the information can authenticate themselves as another user. With the majority of people having some SMS–capable device, it is imperative that we transition away from solely using passwords. Authentication can occur through SMS, meaning users must possess a mobile device. While SMS is a popular multi-factor authentication method, should you implement it for your company over other methods?
SMS as Multi-Factor Authentication
SMS authentication is a type of Multi-Factor Authentication (MFA). It is such because it requires two forms of authentication: something the user knows (phone number) and something the user has (phone), hence multi-factor. As compared to legacy authentication, which are outdated, non-MFA methods, SMS authentication offers more security than a username and password combo. In theory, a hacker seeking access to a user’s accounts will need the physical mobile device.
Modern security standards suggest moving away from passwords completely, replacing them with MFA. Not only are passwords easy to hack, but users often are also overloaded from memorizing potentially upwards of 100 passwords. This results in either security concerns from reusing the same password for multiple apps, or financial costs to your company from help desk calls when users forget their passwords. Modern alternatives for passwords include fingerprint scans, SMS/email authentication, and anonymous login services like humanID.
How SMS Authentication Works
The process can vary depending on the company, but all follow a general procedure. Without coding everything yourself, you first need to register your business with an authentication platform like Auth0. After working with the platform to integrate it into your app, users will be prompted to enter their phone number. Your app will then call the authentication platform’s passwordless Application Programming Interface (API). The user receives an SMS text message that includes a One-Time Password (OTP). Users can copy and paste the OTP into the app they are attempting to login to. Sometimes, the SMS will contain a link that directs the user back to the app while authenticating them.
While an authentication platform handles most of the backend work, app developers will still need to input some simple code. Follow Auth0’s guide for assistance with coding. Entering your own code allows customizability in the SMS that will be sent to clients. Some options include setting a time interval for which an OTP will be valid or a welcoming message that complements the OTP.
Setting up SMS authentication seems easy enough, but should you implement it instead of other MFA methods?
Benefits of SMS Authentication
Each authentication method has its own advantages and disadvantages. SMS authentication being something that is widely accessible makes it a convenient option for users.
- Uses MFA, providing a more secure login than legacy authentication. While it may require more effort than passwords to complete SMS authentication, the risk of being hacked is outweighed. Remember, hackers are counting on users to be lazy by constructing weak passwords.
- It is convenient. While not everyone has smartphones, there are a staggering 5.2 billion unique mobile phone users that are capable of receiving SMS. Since a large population already uses their phones every day, SMS authentication is easy to deploy and users will not have to download new software.
- Low effort for companies. Developers may not need to code much and the cost of sending out SMS can be low. Users also experience low costs for receiving SMS.
- Highly available for implementation and easily customizable. This authentication method can be effective when the OTP is set to expire after a few minutes rather than being valid indefinitely. SMS authentication also rivals other methods such as biometrics (fingerprint scans, facial recognition, etc) which are not yet available in all instances.
- In some cases, it can be automated. Using SMS Retriever API, users can be authenticated without enabling extra app permissions or use of OTPs.
Risks and Downfalls
There are many benefits to SMS authentication when compared to legacy authentication, but modern technologies and hacking/scamming methods render SMS relatively weak.
- Risk is high in receiving SMS from unfamiliar senders. Links that are sent through SMS can be difficult to ascertain the source without clicking it. Malicious hackers may send users to unsafe websites that jeopardize user data or trick them by tampering with the link (using URL shortener services like bit.ly). It is hard to trust unverified senders, especially if there is no custom message or identifiers of the sender.
- Phishing. Phishing is the act of hackers/scammers trying to claim user information through untrustworthy links to dangerous websites. They may directly ask for user information through SMS. As a company, there is not much you can do to prevent phishing attempts but not use SMS authentication altogether. In 2020, phishing claimed the most victims in cybercrimes.
- SIM swapping. This is another scam by malicious people that involves the scammer having enough information on a user to impersonate them. The scammer requests for a replacement SIM card on users’ behalf so they will receive all SMS directed to the user’s phone number. Similarly, a scammer may impersonate a service carrier to receive user information.
- Too reliant on hardware and cellular service. If a hacker was to get their hands on someone’s device and number, they would have access to all accounts on the device and SMS authenticated accounts. Many users don’t lock their phone with a PIN or password, making retrieval of the phone number even easier. Even with a password protecting access to the phone, many users also do not hide their SMS from showing up on the lock screen. This makes viewing OTPs a cinch if the phone is stolen.
- Can be incredibly expensive for companies. While SMS authentication is relatively simple to implement and the cost per SMS sent is low, costs stack exponentially for large companies.
After identifying pros and cons of SMS authentication, it is clear that it does not offer the most secure login method. There are other modern authentication methods that are safer and offer a better user experience, one of which is humanID. humanID is similar to SMS authentication, but is one-click verification and completely anonymous. It works by requesting the user’s phone number and sending them an SMS. After receiving it, the user’s number is irreversibly encrypted, then humanID erases the phone number from their services. humanID takes a user’s phone number and hashes it, meaning the number is encrypted and irreversible.
Overall, SMS authentication may be an easy solution and upgrade from passwords but does not compare to more secure methods like humanID. Other solutions are rising in popularity and accessibility. While we recommend a more secure and private alternative, SMS authentication is a viable upgrade from traditional password logins.