Two Factor authentication has become a necessity in the tech industry. Driven by several high profile breaches, most of the tech industry has adopted two-factor authentication to protect their users and own brand. With this push, SMS verification has become the most popular verification mechanism as most users have an SMS-capable phone number and require no additional apps.

However, for all the ubiquity of SMS, it has some serious disadvantages when used as a method for verification. Even the National Institute of Standards and Technology has pointed out that SMS has a lot of potential security issues and organizations should switch to more secure methods.

In this post I point out some key issues to keep in mind before you make the decision for your organization or application.

Susceptible to Fraud

SMS protocol was designed to carry short messages back and forth between users and not as a secure authentication / verification channel for banks and other enterprises. As a result, there are several security issues to be aware of when using SMS.

SS7 Hacking

SMS messages are transported via the SS7 network protocols. Hacking the SS7 network and routing the incoming SMS messages to another device is becoming frighteningly easy for hackers. Combined with access to username/password data from security breaches, fraudsters can easily gain access to any account to steal data or commit fraud.

Device Malware with SMS Forwarding

In recent years new types of device malware (especially focussed on Android devices) have targeted user's SMS messages. This report from Trend Micro shows how a malware is installed via an app and goes on to behave as an SMS relay, forwarding SMS messages to a hacker. The malware steals one-time pin codes from the device and with stolen credentials enables fraudsters to gain full access.

Social Engineering

Fraudsters pretend as an employee of the bank or organization and trick users into sharing SMS code to gain access. As conveyed in this account from a Reddit user, the fraudster typically has the user's account credentials and initiates the verification process from the bank's website. After that, they call the user as an agent of the bank and ask them to read back the code. This allows them to gain full access to the user's account.

Delivery Issues

SMS's primary purpose is person-to-person asynchronous messaging. Any momentary delays between messages are completely acceptable between users. However, in a business scenario, a delay when the user is waiting on the authentication code is unacceptable. In addition to delays, many times the messages aren't delivered at all. This is caused due to the number of hops between the enterprise and the actual recipient wireless carrier. These combined, make SMS verification a very unreliable channel for authentication purposes.

Bad User Experience

The bar on user experience has raised tremendously over the past few years. SMS verification, is an area where the inherent limitations prevent from delivering a seamless experience. The process requires users to leave the app (they started with) and switch to the messaging app in order to copy the code sent in the SMS. Once the code is copied (or mentally noted), they switch back to the app which initiated the verification to paste the code and complete the process. This back and forth app switching results in a bad experience for the customers, especially on their first interaction with the app.

Poor Conversions

Slow SMS experience and bad experience leads to high drop-offs at registration. Over time this could contribute negatively to the business's conversion numbers.

Recommendations

Frankly, even a poor two-factor mechanism is better than having no two factor at all. If nothing else available then going with SMS verification is still the way to go. Alternatively here are a couple options which would be best for an organization and it's users.

Authenticator Apps

Apps dedicated to two factor have none of the issues reported with SMS verification. They are safe, prevented from hacking issues and less susceptible to social engineering. Options such as Google Authenticator or Authy from Twilio are the best way to go. However, they still are no better for the user experience and getting the user to set this up the first time can be daunting. Additionally these apps can only help with two-factor authentication but not phone number verification.

Danal's Network-Based Phone Verification

The seamless network-based offering from Danal eliminates all the issues faced by SMS verification. Additionally being a frictionless and invisible solution, it enables the best possible experience for users. For app-based businesses, this is by far the best mechanism to employ for verifications.