Blog 42
Why SMS Authentication is a Liability, Not a Security Layer

Why SMS Authentication is a Liability, Not a Security Layer

November 22, 2024·Liam Elliott
Liam Elliott

Welcome to the modern web, where hackers hide in the shadows, and nothing is safe. Our digital lives are direct analogues of our real lives, and keeping them secure is important. Multifactor authentication is being sold as a panacea that will keep you secure no matter what. This is about as true as a cat’s promise to stop knocking things off tables.

SMS-based authentication plays fast and loose with the “something you have” principle of multifactor authentication. This principle suggests that secure authentication should verify physical possession of a device or token. However, SMS authentication fails to meet this standard. If you remember anything after reading this article, make it this thought:

The knowledge of a code sent in an SMS message only verifies that you have accessed a message destined for that subscriber ID

SMS-Based MFA Vulnerabilities

With this fundamental weakness in mind, let’s explore the specific vulnerabilities. The security of an authentication strategy is severely limited by the strength of its weakest link.

As attackers, we can take advantage of the fact that all we need is to be able to read a subscriber’s messages. This can be accomplished through several methods.

The Slick and Sly Social Engineers

The most common attack occurs when an attacker simply calls the phone company and gets them to associate the target’s subscriber ID with their own SIM card. How absolutely concerning is this? Welcome to the SIM-swapping attack, where the front door to your house is protected by a 15-minute phone conversation instead of a deadbolt.

As an attacker, I can also call you directly. This is an alternative to dealing with the phone company and subscriber details. If I can convince you to change the phone number for SMS authentication to one that I control, that’s also a win for me. Just like that, my chances of gaining access are doubled.

Social engineers will often call and fake stressful or traumatic experiences to manipulate support representatives into bypassing security controls. Sometimes, they might collect all of the information before the authentication attempt by socially engineering the target themselves.

Long story short, there are too many ways to use social engineering to gain access to a user’s account when it is protected by SMS. There are even cases where employees of cell phone companies were bribed to perform SIM transfers. If you’re following me so far, understand that SMS is bad and should never be relied on for security.

The Failings of SMS

The biggest failing of SMS is that it doesn’t use message authentication. Unauthenticated messages provide no way to verify that the message was actually sent by the stated sender.

By sending unauthenticated messages, I can impersonate other network users and do something like the following:

  1. Send you a message saying that your account will be permanently banned unless you respond with the verification code that is about to be sent
  2. I go to log into your legitimate service, and you receive a legitimate code
  3. Seconds later, you receive the code as expected and send it to me as requested in my lovingly-crafted spoofed message
  4. I take the code, use it to log in to the service, rob you blind and enjoy a nice glass of champagne for a job well done

If you’re still following me, understand that SMS is bad and should never be relied on for security.

The Failings of Enterprise

Traditional organizations that had to become tech-aware often have the most insecure authentication methods. Phone companies and banks are at the very top of this list. Many times, they’ll authenticate callers with questions that can be answered simply by looking at the target’s social profiles. This creates a disaster waiting to happen.

The National Institute of Standards and Technology (NIST) is a branch of the US government responsible for corporate and personal security advice. NIST also creates and manages many of the cryptographic standards that keep our data secure. They recommended organizations not use SMS-based multifactor authentication back in June 2017 (NIST Special Publication 800-63b).

The Business Problem

Ever had that moment when you’re about to close a huge deal, and suddenly you can’t log in because that magical six-digit code never arrived? You’re not alone. According to industry studies, approximately 1-5% of SMS messages never reach their destination - that’s like forcing your customers to play Russian roulette with their account access.

Phone number changes are no longer just about avoiding an ex—they’re now corporate emergencies. Each change sets off a domino effect of locked accounts and frustrated customers. International travel? Good luck explaining to your most valuable customer why they can’t access their funds on a mission-critical business trip to Tokyo.

Each account lockout typically takes 1-2 hours to fully resolve when you factor in wait times, identity verification, and getting access restored across multiple systems. And that’s assuming everything goes smoothly - complex cases can stretch into days of back-and-forth with IT. When you add up the costs of lost productivity and support resources across your organization, SMS authentication becomes a surprisingly expensive security choice. Factor in the deals delayed or lost because someone couldn’t access their systems at a crucial moment, and the true cost to your business becomes painfully clear.

The Path Forward: Secure Alternatives to SMS Authentication

So SMS authentication is a mess - but what’s the alternative? Don’t worry, the tech world hasn’t left you hanging. We’ve got some seriously better options that won’t make you pull your hair out every time you travel abroad.

Think of these alternatives like upgrading from a rusty old padlock to a smart home security system. Here’s what’s hot in the world of not-getting-hacked:

  1. Passkeys
    The new kid on the block and absolute star of the show. Imagine never having to type another code or worry about your phone being hijacked. That’s passkeys for you - they’re like a VIP bouncer who actually knows what they’re doing.

  2. Authenticator Apps (Aegis, Google Authenticator, Authy)
    Remember those SMS codes? These apps do the same thing, except they can’t be intercepted by some random person sweet-talking your phone company. Plus, they work without cell service - perfect for that business trip to the middle of nowhere.

  3. Hardware Security Keys (YubiKey, Titan)
    The paranoid person’s best friend (in a good way). These little USB keys are like having a tiny fort knox for your digital life. Sure, they cost a few bucks, but so does dealing with a stolen identity.

  4. Biometric Authentication
    Your fingerprint, your face, your problem solved. While not perfect on its own, it’s a great sidekick to the other methods. Plus, it makes you feel like a secret agent, and who doesn’t want that?

The best part? All these options are already built into most modern systems. You’re not reinventing the wheel - you’re just upgrading from a square one to something that actually rolls smoothly.

If you followed me all the way to the end, understand that SMS is bad and should never be relied on for security. Time to give it the boot and move on to better things.

🔒
We’re the authentication whisperers - experts at making these fancy security systems play nice with your business. Want to upgrade your digital locks without the headache? Let’s talk.
404 CTO Not Found → Time for Change