Why SMS-Based Authentication Falls Short for Account Security (2024)

Coinbase, one of the world's largest cryptocurrency exchanges, recently revealed that 95% of its account takeovers relied on SMS-based Multi-factor authentication (MFA) to secure their accounts. While offering SMS OTP as an authentication type is a step towards securing customer accounts, it is no longer enough to protect against the ever-evolving threat landscape.

Why SMS-Based Authentication Falls Short for Account Security (1)

About 95% of Coinbase’s customers utilize SMS-based authentication to secure their accounts—the weakest authentication method available on their platform. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.

SMS-based Multi-factor Authentication, also known as OTP SMS authentication, involves receiving a one-time code via text message to verify the identity of the user attempting to access an account. While this method is relatively easy to set up, there are now more secure authentication methods that offer a higher level of assurance to both technology providers and customers. Hackers can intercept SMS messages, SimSwapping can take place, and phishing attacks can convenience users to provide their one-time password codes to bad actors.

In fact, the use of SMS authentication is so vulnerable that the National Institute of Standards and Technology (NIST) removed it from its list of recommended authentication methods back in 2016. NIST cited the weakness of SMS-based authentication in its guidance on Digital Identity Guidelines, recommending that organizations move to more secure methods of authentication.

Stronger Authentication Types
So, what are the alternatives to SMS-based authentication? The most secure method is to use a physical security key, such as YubiKey, which plugs into a computer's USB port or connects via Bluetooth. Security keys generate a unique code each time they are used, making it nearly impossible for hackers to intercept the code or use it for unauthorized access.

Another option is to recommend TOTP authentication apps, such as Google Authenticator or Authy. These apps generate one-time codes that users enter to access their accounts. Authentication apps are more secure because the codes are generated locally on the user's device and not sent through a vulnerable network like SMS.

Lastly, push authentication is a mobile-centric authentication whereby the service provider sends the user a notification over the most secure available communication channel. The user responds to the challenge by performing an action to verify their identity and access the service.

💡Offering stronger alternatives to SMS is an excellent opportunity to improve both your security posture and enhance your customer experience with new technology.

The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure. As threats continue to evolve, it is imperative that users adopt more secure authentication methods, such as physical security keys or authentication apps, to safeguard their online accounts. As a platform provider, it is your responsibility to take proactive measures to educate your customers and help them to protect their digital assets and personal information.

FAQs

Why SMS-Based Authentication Falls Short for Account Security? ›

An attacker can gain access to SMS authentication codes on a lost or stolen mobile device, compromising account or system security. This vulnerability is exacerbated by the lack of encryption and the ability to intercept SMS messages remotely, even if the device itself is not physically accessed.

Read On ›

What is the vulnerability of SMS authentication? ›

The main risks include: Interception of SMS messages: SMS messages are unencrypted and can be intercepted by attackers. Mobile network dependency: Outages can prevent receiving authentication codes. SS7 vulnerabilities: Though less common now, attackers can exploit the SS7 protocol to intercept messages.

Discover More Details ›

Why is authenticator more secure than SMS? ›

An authenticator app is safer than SMS authentication because it generates 2FA codes locally, which prevents cybercriminals from intercepting the codes as they can with SMS.

Why do banks still use SMS 2FA? ›

Banks use SMS 2FA because it's cost-effective, accessible for users, and far more secure than passwords alone against account takeovers. 4. What are some SMS 2FA alternatives?

See Details ›

What is SMS-based authentication? ›

SMS-based authentication lets users sign-in without providing, or even knowing, their user name and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt.

Find Out More ›

What are the disadvantages of SMS authentication? ›

The main problem with SMS authentication is its reliance on the cellular network infrastructure, which is susceptible to various attacks like SIM swapping, SS7 vulnerabilities, and lack of end-to-end encryption.

Tell Me More ›

Is SMS security safe? ›

While SMS lacks end-to-end encryption, it still offers some degree of security compared to other forms of communication. For instance, SMS messages are sent over cellular networks, which are generally considered more secure than public Wi-Fi or other internet connections.

Show Me More ›

Is SMS-based 2FA safe? ›

The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure.

Explore More ›

Is SMS or email 2FA better? ›

TOTP-based 2FA is considered to be more secure than SMS-based 2FA because it is less susceptible to intercepts and spoofing.

Why is 2 step verification not safe? ›

2FA can be vulnerable to several attacks from hackers because a user can accidentally approve access to a request issued by a hacker without acknowledging it. This is because the user may not receive push notifications by the app notifying them of what is being approved.

Show Me More ›

Why is SMS authentication insecure? ›

The main weakness of SMS is its lack of encryption. This means that sending any sensitive information via SMS is risky, because it could be intercepted.

Read The Full Story ›

Is Microsoft phasing out SMS authentication? ›

You will not be able to add users to an exemption group that will allow them to still use SMS after July 2023. Microsoft will no longer support SMS for certain types of sign-ins, including sign-ins from new devices and sign-ins that require multi-factor authentication.

See Details ›

How does SMS security work? ›

SMS authentication is a form of 2FA, which adds an extra layer of security to the user authentication process. A one-time code is sent to the user's mobile phone via SMS, which they must enter to confirm their identity.

Get More Info Here ›

What is authentication vulnerability? ›

What Are Authentication Vulnerabilities? Authentication vulnerabilities are issues that affect authentication processes and make websites and applications susceptible to security attacks in which an attacker can masquerade as a legitimate user.

What are the weakness of message authentication code? ›

One limitation of MACs is that they rely on a shared secret key between the sender and the recipient. This means that if the secret key is compromised, an attacker can generate valid MACs and impersonate the sender, undermining the non-repudiation mechanism.

How secure are SMS messages? ›

Simply put, the Short Message Service (SMS) does not have any encryption, making it inherently insecure. While mobile carriers do protect text messages, it's usually the very basic security of GSM or CDMA. This means it's possible for the network or anyone to intercept SMS messages and read them.

View Details ›