Published: Mar 07, 2017
Last update: Jun 28, 2022
SMS services

Is SMS-based authentication secure?

securityparablog
Is SMS-based authentication secure?
4.8 (95%) 4 votes

The sheer number of web and mobile application users has increased to the point where it’s difficult to distinguish between those that are looking for easy access to all types of electronic transactions, and authentic cybercriminals.

A lot of brands and companies have had to resort to online security systems to make life easier for the former and complicate work for the latter. Sending an SMS message has become the first step to authenticating user identity.

Is SMS-based authentication secure?

One-time passwords (OTPs) using SMS are not secure enough for some uses, hence why two-step authentication was born (2FA, abbreviation of two-factor authentication). 2FA is far safer than OTP, but still needs to be carefully and rigorously set up, however, to be really secure.

2FA using SMS is easy to get up and running, is cost-effective and is relatively easy for users who are already used to using these types of systems to access online accounts, for example online banking, which confirms actions by sending SMS messages to the bank account holder.  

One-step authentication with SMS

OTP using SMS has various uses. One is for the user to avoid receiving spam. Linking a user account to a telephone number is far more effective than using an email or social media account. Telephone verification using SMS is very popular and is used by applications with a large number of users, including a number of email services.

OTP is effective because it’s fast and low cost. Practically every consumer over the world can receive and send an SMS message – they don’t even have to own a smartphone. There are even free services which allow you to verify mobile phone numbers. In addition, the verification code expires after a short period of time (normally 5 minutes).

Two step verification with SMS

A one-time password is, in reality, just the first of the two steps in the 2FA authentication process. However, the data traffic, like sending SMS messages, has met the additional security requirements as recommended by the US governmental agency, who has drafted a series of guidelines that have to be met by agencies dependent on the administration.

The National Institute of Standards and Technology (NIST) agrees that the use of a username and /or a password together with an OTP system using SMS is a lot more secure than static passwords. The NIST also recommends, however, utilizing biometric features such as one of the authentication steps.  

If we’re talking about brands and commercial companies, this system is a little overzealous and could be easily rejected by users. It’s not really necessary – there’s no need to enforce an SMS-based 2FA system with these types of passwords.  

Use of single devices in SMS verification systems

Another way of increasing security of verifications based on sending SMS is to utilize systems that limit the authentication process to just one device. They are even capable of detecting a change in SIM card in the registered device to avoid the creation of multiple users (at least in appearance) with just one registration.  

Overall, it is up to each company to evaluate its user authentication process. Different security requirements will be necessary depending on the type of registration. User interaction – whether it’s positive or negative – should also be taken into account before selecting the authentication method to choose. It’s always worth keeping in mind that in the era of mobile messaging, the public still values the privacy of SMS.