SMS Two-Factor Authentication – Worse Than Just a Good Password?

Sami Laine

SMS-based two-factor authentication shows up as an option on many websites, but in some cases, it’s worse than not having a second factor at all!

To understand why, we're going to discuss how SMS is being used for authentication and how there’s another— sometimes completely hidden—problem that can lead you to lose your account to attackers.

A Short History of SMS

SMS or Short Message Service, commonly called text messaging, dates all the way back to the mid-1980s when MTV still played music videos and cassette tapes outsold CDs 10-to-1. SMS was first conceived by the GSM standards group as a way to send messages between cellular phones—the first phones able to send SMS appeared in 1994.

When mobile phones broke out from mainly business users to regular people in the mid-2000s, SMS messaging blew up, reaching billions of people and delivering trillions of messages per year. Gateway providers and A2P (Application-to-Person) messaging opened up all kinds of uses and whole industries developed around sending these messages.

Today, 96% of adults in the US have a cell phone and almost everyone uses SMS, making it an attractive channel for all kinds of communication, including sending one-time passcodes. Authentication with one-time codes used to be hard and expensive, with keyfob-style one-time-passcode authentication tokens like RSA SecurID often misplaced or lost by the users. With a phone in every pocket, you now could simply generate the one-time passcode and send it via SMS. The low cost and customer convenience drove SMS two-factor authentication to dominance; current iOS and Android versions even automate the insertion of one-time codes received via SMS.

What’s Wrong With SMS Authentication?

A lot! SMS was never designed to carry information that needed to be secure, just short casual messages—like “pizza tonight?”. All messages are sent in clear text, not encrypted, so the sender has no control over who might read the message as it travels across the different carriers to whatever network you might be roaming on. Using SMS to deliver one-time passcodes makes these codes subject to interception by an attacker in multiple different ways.

  • Network-level attacks take advantage of the fact that pre-5G cellular network back-ends were built on a foundation of trust—every cell network operator inherently trusts all commands from other operators in their back-end signaling systems like the SS7 network. With thousands of operators in the global system, a malicious actor with access can issue commands redirecting SMS messages to intercept authentication codes, among other creepy things.

  • Carrier website attacks leveraged weak authentication on cell provider websites. Some of these allowed you to read your SMS messages via your browser, and were protected by username and password only. This attack vector is mostly now closed by US-based cell carriers.

  • Endpoint attacks use trojans; malware designed to intercept incoming SMS messages right on your phone and silently redirecting them to attackers. SMS intercepting trojans first appeared on Symbian and, today, these trojans are most common on Android devices, prompting Google to create a whole new way of managing access to the SMS inbox.

  • Social engineering attacks are, arguably, the most effective. They exploit the weakest link: humans. SIM swap attacks are a common example of this—an attacker takes over your phone line by convincing your carrier that they’re you, ending up with an activated SIM on your number, ready to receive your authentication SMS messages.

If all this sounds bad, it is. If you’re a victim of SMS takeover, an attacker can very quickly take over your life. This is why the vast majority of security experts recommend against relying on SMS for any high-value online accounts.

The Deeper Problem With SMS

But how can things possibly be worse? In order for SMS interception to be valuable, an attacker needs to also have your primary credentials: your username, and password. If I have a good password and I'm careful not to fall for a phishing scam, I’m still good, right?

No! If a password can be reset with just SMS, there is no need to phish for it.

A group of Princeton University researchers published a draft of a study examining how well US wireless carriers protect against SIM swap attacks and how vulnerable popular websites were to them. They made a website with a memorable URL: https://www.IsSMS2FASecure.com. Spoiler alert: nope.

In addition to looking at cellular carriers, the Princeton team also reverse-engineered the authentication logic of 140 popular websites and found that 17 of them relied on SMS as a single-factor and could be compromised with just a SIM swap even if you didn’t know the password. This included big names in industries from finance to commerce to travel; sites like Paypal, Venmo, Finnair, Amazon, and eBay. Yikes.

How Do You Know Which Sites Put You at Risk?

The Princeton researchers reverse-engineered and analyzed the authentication logic, password reset flows, and account recovery policies of these sites—no small task.

When you go to a website to sign up or log in and they ask for your phone number “for enhanced security”, will you actually do this same analysis? 12% of the sites this research looked at were vulnerable, do you like those odds?

Adding a phone number to get SMS passcodes can give you a false sense of security! It’s difficult or impossible to know if any given site actually allows password recovery just with SMS.

First, Try to Choose Strong Two-Factor Options

You can check what security options many sites offer here. If they include stronger two-factor authentication options like push verification, an authenticator app, or—best of all—a FIDO-based authenticator like U2F or FIDO2 security key, jump on it. These are always the best options, as I outline in another blog post. Start by securing your email account, as email is how almost all systems handle password resets. If your email is compromised, you are guaranteed to have a terrible, horrible, no good, very bad day!

What if the only option is SMS or nothing at all?

If Strong Two-Factor Is Not Available, Use a Password Manager

Yes, it sounds crazy, but for high value accounts with only SMS 2FA, you may be better off with just a great password combined with a password manager app.

First, generate a strong, unique password for each site using a password manager application, like 1Password or LastPass. These apps fill credentials automatically when logging in, and only on the valid websites, minimizing phishing risk. This advice hinges on this! Never type in your password, use the autofill of the password manager. If the autofill feature doesn’t enter the password, you should be suspicious, as you are potentially being phished and should double check that you’re on the genuine site very carefully!

Second, generate random lies for any security questions, such as ‘favorite food’ or ‘street you lived on’. This is why you have the password manager, simply let it generate a random string (or a random word if the site requires just letters). You’ll never need to remember it, that’s the password manager's job. This simple trick makes security questions—a normally weak option—much stronger.

Why is this approach potentially stronger than SMS 2FA? If the website doesn’t know your phone number, they can’t use it for password resets or account recovery and you don’t have to worry about these hidden risks. If you ever need to reset your password or recover your account access, you can still do it the old-fashioned way: email! Which you just secured with a strong two-factor, right?

Do Not Panic

Should you turn off SMS two-factor everywhere? No—I wouldn’t go that far. Although these SMS attacks are real, they’re not yet trivial or easily scaled, so we see them in targeted spear phishing attacks. Most sites also do have reasonable SMS authentication processes.

Here’s what you should do:

  1. Secure your high-value accounts with strong authentication. These include crypto wallets, key financial sites and email– and if you’re an influencer—Twitter, Instagram and the like. For these, if SMS is the only option, turn it off and use a strong password with a password manager instead.

  2. For new accounts, always check for stronger two-factor alternatives before deciding if you should use SMS.

  3. Use a password manager to create strong, unique passwords and to autofill them to protect against phishing attacks.

  4. Finally, make sure to set up a security code on your cellular account today to reduce the risk of losing your account to SIM swap attacks.

Thanks for reading and stay safe!

Sami Laine
Director, Technology Strategy

Sami Laine is Director of Technology Strategy at Okta. For last couple of decades Sami has helped many of the world's largest enterprises, financial institutions and public sector organizations protect against fraud, malware, threats and data breaches and now at Okta helps companies embrace identity as the new security perimeter.