Day in day out we are confronted with the legacy authentication systems that our customer and prospects currently have in place. SMS authentication is still very common as a second factor, but satisfaction with this solution is low. Nearly all companies we meet are looking into alternatives, and here is why.
1. Sending SMSes is expensive
The typical cost for sending a single SMS in Western Europe is about 5 to 10 eurocent. Even with big volumes, this price hardly goes down. So, if you have users that login regularly, this cost adds up quite fast.
2. SMSes have no guaranteed (timely) delivery
By design, SMSes are not guaranteed to be delivered, let alone being delivered within the time frame of a login. You do not want your user to wait more than a few seconds before getting the SMS needed to complete the authentication.
3. SMS authentication introduces additional user friction
When used as a second factor, SMS authentication creates an extra layer of friction for your users. Now, on top of the existing hassle with usernames and passwords, your users also have to copy over the 6 digits (also known as One Time Password or OTP) they received by SMS.
4. The cellular network comes with its own set of risks
The cellular network was not built with security in mind. Every mobile operator in the world has potential access to your unencrypted SMSes as these pass over the network. SIM swap attacks have shown that it is also susceptible to social engineering. An attacker only needs to convince one staff member at any service point of your mobile operator in order to request a new SIM card in your name.
5. The actual security benefit is small
Phishing attacks have become more sophisticated and often happen in real time, whereby the attacker also gets your OTP.
On top of that, an OTP only provides limited resistance to attackers just trying random values (also known as brute-force). The attacker has one shot in a million to be correct. This may not seem much, but depending on the total number of users and throttling mechanism (i.e., you can only try a limited number of times in a given time frame) in place, the attacker will gain access to your system as one of your users quicker than you think.
Alternatives to SMS authentication
Free OTP apps
Free OTP apps (for example Google Authentication, Microsoft Authenticator) solve a lot of the issues that SMS authentication suffers from. There are no more communication costs to get the OTP to the user, the OTP is available in real time and the risks associated with the usage of the cellular network disappear. However, these apps actually create additional friction for the user, instead of reducing it.
Installing a third party app for just generating an OTP, is a major hurdle for most users, especially since they do not need to do anything for receiving SMSes. In a mobile first scenario, copying the OTP from one app to another requires the user to switch apps. In contrast, SMSes are shown as a popup and apps can be configured to automatically retrieve the OTP from specially formatted SMSes.
Mobile authentication SDKs
The main reason for the low adoption of free OTP apps, is the poor user experience. By using a mobile authentication SDK, you can augment your current app or easily build a white labeled authenticator app, giving your users an app with your trusted branding. While these SDKs take care of security, you can focus on user experience and reducing user friction. Most of the authentication can be handled in the background. Depending on the situation, the user will be asked to provide a second factor, which is typically a biometric or PIN.
nextAuth is a mobile user authentication technology provider, providing both a mobile SDK and white label apps. With our technology, you can give your users passwordless (and even usernameless) 2FA.