Why is SMS 2 Factor authentication not secure?

Anyone active on the digital platform will know the concept of SMS two-step verification or may have experienced the process. Any company or app does this two-factor authentication. They send a code to the mobile user to verify and confirm the user as bonafide in order to set their password or access a service. There are many other authentication methods in use today. The question is whether SMS is really secure or the best option for two-factor authentication(2FA).

Understanding 2FA 

The SMS two-factor authentication is used by certain systems that ask a user to enter the username, following which they send an SMS text message that contains the passcode. This passcode is usually a four- or six-digit code to confirm if the user is authorized to enter a system with that username. The correct entry of the passcode into the system prompt, helps verify the user's identity and access the application.

The 2FA via SMS is popular because it is easy and quick to verify and access the application. There is no download of any application or any card reader. One just needs a mobile phone with a sim card having the correct number.

The question, however, is whether the SMS 2FA is secure or not nowadays in view of sophisticated cybercrimes. The NIST, USA has recommended that one-time SMS is no longer secure to organizations and Government agencies concluded that cyber criminals can steal one-time passcodes from the SMS text messages.

SMS Vulnerabilities

Though SMS 2FA is still better than single passwords, hacker's sophisticated methods ensure that they are not foolproof. According to a leading global market research firm Forrester, SMS 2FA when targeted stops only about 76% of attacks. So, what are ways where one security can be compromised?

·      Intercepting SMS codes

A few years back, hackers attacked the SS7( Signaling System7). This standard telecommunication protocol determines how cell phones interact and intercept the SMS text messages before reaching the user device. By using the intercepted SMS 2FA, they accessed the victim's bank account. Another way a hacker can get access to SMS texts is through apps like Hangouts and Google Messenger. These apps, when downloaded to a cell phone, have access to an SMS inbox. If the hacker can hack any of these apps, then they can easily steal 2FA codes.

·      Mobile phones can be stolen or viewed with authorization

Physical devices, when carried along the whole day, can get lost or stolen. The hackers can easily access the passcodes if the phone is not locked. Even fingerprints lock doesn’t secure as one might think. Smartphone's text notification feature allows anyone to see the text on the screen even when the device is locked. If a 2FA passcode is seen in the text notification, hackers can easily steal it if they happen to access the phone.

·      Spoof SMS verification

Hackers use phishing techniques to get access to people's email accounts. Once they get the email address and phone number, they visit the victim's email login page and request resetting the password. The 2FA text is sent to the victim's phone. The victim gets a message which looks authentic from the hacker asking to respond with the code. The moment the victim types in the code, the hacker gains access to the email account. In 2020 alone, phishing incidents increased from 114,702 in 2019 to 241,324 in 2020 making it the most used form of cybercrime.

·      Phone accounts can be hijacked 

Here the attack is known as SIM swap. Hackers use personal details to convince the cell phone service providers to move the victim's phone number to a new device by acquiring a new sim. From here, accounts can be accessed using the 2FA.

Alternative secure authentication options

1.     OTP method

The one-time password or OTP received on smartphones is valid only for a single session which means it there cannot be replay attacks as in the case of a regular password. Also, OTP is created within an app on the user's smartphone, meaning they are more secure than passcode sent by SMS messages.

2.     FIDO U2F

The FIDO (Fast Identity Online) Alliance Universal Second Factor or U2F is a leading option for 2FA. It is an open authentication standard that uses authenticators like USB devices or cell phones with secret cryptogenic keys. This is similar to smart cards with PKI (Public key infrastructure). The authenticators are paired with username and PIN. Users insert the U2F token in the USB slot and confirm the username and PIN. This process does not involve transmitting text data or codes, thus preventing phishing attacks.

3.     Push authentication

A push notification is sent to the user's smartphone were out of band authentication. The user has to select “approve” or “decline” to confirm that they have initiated the request. The authentication app confirms to the target app about the user. Hackers cannot intercept this authentication at the point of password entry. This process is faster than typing a passcode.

4.     The  best solution – MFA

Multi-Factor Authentication (MFA) is more secure than using the single authentication factors mentioned above. Even though FIDO U2F, OTP is more secure than SMS 2FA, MFA ensures a risk-based approach that is not a one size fit all solution. The MFA ensures the maximum level of authentication based on behavioral and contextual factors. It uses a risk-based scoring system that allows specific triggers for stronger authentication. According to Microsoft, MFA can protect up to 99.9% of the account getting compromised due to cyber-attack. This simple tool is delivering such effective results and there is no reason why every enterprise and individuals not use it.

 For example, if a user login from a new device, new location, or WIFI system, then when the user's credential has to be authenticated by answering challenging questions. This is because the system recognizes that the user has been using the same device, same location, and time every time they logged in. This confirmed that the account had not been compromised. Anything contrary, the MFA would recognize increased risk and generate second-step authentication with a different factor.

Risk-based authentication provides the right balance between user-friendly processes and security. Where situations and users are at low risk, there is no need for additional authentication. 

Conclusion

Despite everything, many organizations continue to use SMS 2FA.  Security can be increased by following some of the best practices, such as not sharing a password with anyone, changing passwords, securing computers with HTTPS Everywhere encryption, and never texting 2FA codes to any SMS request, no matter how genuine they look.