How Secure Is SMS-Based 2-Factor Authentication?

Published August 08, 2016 by Srivatsan Srinivasan

Many business are looking to secure their users by strengthening the authentication process on their web and mobile applications. SMS-based one time passwords (OTPs) are among the top considerations to bolster typical username, password combinations to authenticate users today. SMS 2FA is easy to implement, cost-effective and provides an experience that users are accustomed to.

NIST Guidelines

Recently, the National Institute of Standards and Technology (NIST), whose guidelines are applicable to government agencies, published a preview of their Digital Authentication Guideline in which OOB (out of band authentication) using SMS is deprecated. In a follow up blog, they state the reasons for deprecating the use of SMS as the use of VoIP services that can receive SMS, and the redirection or interception of SMS messages. NIST guidelines further support only limited use of biometrics for authentication, requiring it to be used with another authentication factor (something you know or something you have). Their recommendation is to truly tie user authentication to a specific device, which also precludes email.

SMS verification codes have multiple use cases

SMS-based OTP has several use cases. Take spam prevention for instance. Here, tying a user account on registration to a unique phone number is far more effective than simply using email addresses or social logins or captchas. SMS-based phone verification is incredibly popular and is used by applications with the largest user bases, including email and chat-app services. It is highly effective as implementation is fast, inexpensive, and consumers worldwide can receive SMS. Nexmo Verify goes a step further by blocking numbers that are detected as virtual, premium, or toll-free and providing the ability to verify only mobile numbers. In addition, the verification code expires in a short period of time (5 minutes by default).

SMS-based OTP and 2FA

SMS-based one time password (OTP) is often used as one of the two factors in 2FA. The NIST guidelines are directed at this use case. NIST agrees that username/password along with SMS OTP is far more secure than static passwords alone. If your application does not need the level of security that a government agency does, you’re certainly improving security by offering users the option to enable SMS-based 2FA in addition to their static passwords. For applications requiring higher security, out-of-band (OOB) authentication can be implemented using push verifications, per NIST guidelines.

Nexmo Verify SDK combines phone numbers with unique device IDs that detect SIM-swaps and prevents the duplication of authentication codes across multiple devices. Further, Verify SDK allows applications to benefit from unlimited push verifications per user per month, thereby providing higher security and cost efficiency. Combining biometric authentication with push verifications can let applications frictionlessly authenticate users, while ensuring security. In addition to Verify and Verify SDK, Nexmo offers OOB authentication over voice calls with our TTS and TTS-Prompt APIs.

Ultimately, businesses need to carefully evaluate their use cases, security requirements, and desired user experience before selecting an authentication method for their application.