Security and cryptography expert (PhD) - CTO at nextAuth
Day in day out we are confronted with legacy authentication systems. SMS authentication is still very common as a second factor, but satisfaction with this solution is low. Nearly all companies that use SMS authentication are looking into alternatives, and here is why.
1. Trojans/Malware to intercept SMS are real
Cyber criminals trick users in installing malware on their phones through various channels. Popular methods include modifying real apps to embed trojans and disguishing malware as an unrelated game or shopping app. These trojans/malware can intercept all SMSes on the user’s phone, including the SMSes that contain your OTP (One Time Password) for authentication, and report back to the cyber criminals. Here you can find an example of Malaysian Android users being targetted with banking trojans.
2. Sending SMS is expensive
The typical cost for sending a single SMS in Western Europe is about 5 to 10 eurocent. Even with big volumes, this price hardly goes down. So, if you have users that login regularly, this cost adds up quite fast.
3. SMS have no guaranteed (timely) delivery
By design, SMS are not guaranteed to be delivered, let alone being delivered within the time frame of a login. You do not want your user to wait more than a few seconds before getting the SMS needed to complete the authentication.
4. SMS authentication introduces additional user friction
When used as a second factor, SMS authentication creates an extra layer of friction for your users. Now, on top of the existing hassle with usernames and passwords, your users also have to copy over the 6 digits they received by SMS.
5. The cellular network comes with its own set of risks
The cellular network was not built with security in mind. Every mobile operator in the world has potential access to your unencrypted SMS as these pass over the network. SIM swap attacks have shown that it is also susceptible to social engineering. An attacker only needs to convince one staff member at any service point of your mobile operator in order to request a new SIM card in your name.
6. The actual security benefit is small
Phishing attacks have become more sophisticated and often happen in real time, whereby the attacker also gets your OTP.
On top of that, an OTP only provides limited resistance to attackers just trying random values (also known as brute-force). The attacker has one shot in a million to be correct. This may not seem much, but depending on the total number of users and throttling mechanism (i.e., you can only try a limited number of times in a given time frame) in place, the attacker will gain access to your system as one of your users quicker than you think.
Alternatives to SMS authentication
When looking for alternatives for SMS authentication, you usually end up with either a free OTP app or integrating a mobile authentication SDK into your own app. Be aware that the actual security benefit of the alternative will remain low as long as the solution is OTP-based.
Free OTP apps
Free OTP apps (for example Google Authentication, Microsoft Authenticator) solve a lot of the issues that SMS authentication suffers from. There are no more communication costs to get the OTP to the user, the OTP is available in real time and the risks associated with the usage of the cellular network disappear. However, these apps actually create additional friction for the user, instead of reducing it.
When giving users the choice between SMS authentication and an OTP app, over 90% choose the first.
Installing a third party app for just generating an OTP, is a major hurdle for most users, especially since they do not need to do anything for receiving SMS. In a mobile first scenario, copying the OTP from one app to another requires the user to switch apps. In contrast, SMS are shown as a popup and apps can be configured to automatically retrieve the OTP from specially formatted SMS.
Mobile authentication SDKs
The main reason for the low adoption of free OTP apps, is the poor user experience. By using a mobile authentication SDK, you can augment your current app or easily build a white labeled authenticator app, giving your users an app with your trusted branding. While these SDKs take care of security, you can focus on user experience and reducing user friction. Most of the authentication can be handled in the background. Depending on the situation, the user will be asked to provide a second factor, which is typically a biometric or PIN.
About nextAuth
nextAuth is a mobile user authentication technology provider, providing both a mobile SDK and white label apps. Our technology is based on public key cryptography and provides an substantial security benefit over OTP-based methods. With our technology, you can give your users the passwordless (and even usernameless) MFA experience they deserve.