Blog article
See all stories »

Don't Use SMS For 2FA. Here Is Why.

Strong customer authentication necessarily forms the backbone of any fintech application and it is common to make use of multi-factor authentication (MFA) to provide additional levels of security to protect any transaction from being compromised.

Multi-factor authentication (MFA) encompasses three types of authentication: knowledge (something you know), possession (something you have) and inherence (something you are). Other authentication methods became necessary when passwords could no longer withstand sophisticated hacker attacks.

 Global Knowledge decribes the three recognised types of authentication factors:

  • Type 1 – Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
  • Type 2 – Something You Have – includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.)
  • Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

One of the more common forms of additional authentication used by financial institutions is phone-based SMS messages (something you know), which function as a second level of security on top of requiring a password.

Though still prevalent, there is more and more evidence against using SMS in two factor authentication (2FA) because it has not proved to be a secure medium of authentication. Studies are finding that the main issue with using SMS in 2FA is that the cell phone providers themselves and their network are vulnerable to phishing, spoofing and social engineering.

Protectimus identifies the main SMS 2FA weakness as its dependency on the cell phone service provider. It explains: “The practice of reusing mobile phone numbers is a distinctive risk. If your one time password (OTP) is delivered via SMS, all the hackers need to do is get the ownership of your phone number. A criminal impersonates their target and convinces the provider the user’s phone is lost so the number needs to be transferred. Doing this is not as hard as you might think.”

Another issue, it says, is that it is easy to infect a smartphone with malware and intercept the OTP SMS through the phone’s internet connection.

A study conducted by the Department of Computer Science and Centre for Information Technology Policy at Princeton University confirms the risks associated with using SMS as a 2FA. The study, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, notes that, although this means of authentication is a ubiquitous as a second factor or account recovery method, it does expose customers to “severe risks”.

It says attackers can intercept SMS passcodes “in a number of ways”, including “surveilling the target’s mobile device or stealing the passcode with a phishing attack”. The most widely reported method for intercepting phone-based authentication passcodes, according to the researchers, is a SIM swap attack. They explain that by making an unauthorized change to the victim’s mobile carrier account, the attacker diverts service, including calls and messages, to a new SIM card and device that they control.

The authors say they hope the findings of the study will see providers “phase out insecure configurations and properly educate users about the risks of SMS MFA.”

Positive Technologies also engaged in an exercise to highlight how easy it is to comprise the security of SMS’s. They hacked into a bitcoin wallet by intercepting text messages and exploiting flaws in the mobile phone company. In so doing, they managed to reset the password to the Gmail account and take control of the Coinbase wallet.

In an article titled Why 2FA SMS is a Bad Idea, Justin Channel says that weak 2FA is in some ways worse than no 2FA at all. “In the case where SMS- or phone-based authentication is the only option offered by a service, it’s actually safer to skip 2FA. A good password policy will be the best option in this case.”

Despite these flaws, however, SMSs are still regularly used by financial institutions as a second layer of authentication. However, fintechs, whose business propositions rely on the security of their offerings, need to take this evidence seriously and begin implementing the other available, and far more secure alternatives to SMS as a 2FA, which include hardware, software, IP, GPS or biometric authentication.

How do these other methods of authentication work?

Hardware authentication uses a dedicated physical device to grant access to an application. Its strength lies in the fact that the user has to have the physical device, such as a token, to get access to the computer or application. The device creates a unique and temporary code that, in addition to a password, enables the user to gain access to the system. The drawback is that the device can get lost or stolen, which creates problems accessing the system for the user.

Meanwhile, software authentication makes use of token codes that are generated with a mobile application like Google Authenticator. The main benefit of using this form of authentication is that it does not rely on the phone network for authentication.

IP-based authentication checks the user’s IP address when logging in and confirms it correlates with the vendor’s database. This method of authentication eliminates the need for user IDs and passwords and SMS authentication. It also blocks access to IPs that suspected of being malicious and only allows logins from known IP addresses.

GPS authentication uses mobile GPS data as an added level of security that allows banks or other payment providers to use the geolocation information gained from the app to determine whether a transaction aligns with the location of the individual’s mobile.

Biometric authentication, using a thumbprint or facial recognition, is becoming more commonplace. It is one of the three types of authentication, namely inherence, using “something you are” to verify your identity. The main advantage of using biometric authentication is that is relies on the unique physical traits of an individual and is very accurate in authenticating the end user.





Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 15 April, 2020, 13:20Be the first to give this comment the thumbs up 0 likes

Don't Use 2FA. With Or Without SMS. 

Here's why: Two Factor Authentication Is A “Conversion Killer” & “Blood Pressure Booster".

(hyperlink to post on my company website removed to comply with Finextra Community Rules but this post should appear on top of Google Search results when searched by its title)

Regulators can use the present coronavirus crisis as the fall guy and withdraw their 2FA / SCA mandates without losing face.

Paul Shumsky

Paul Shumsky

Technology Advisor


Member since

10 Sep 2019



Blog posts




More from Paul

This post is from a series of posts in the group:


Biometrics are the new weapons of war against online fraud and supporting financial services with biometric authentication and their KYC (Know Your Customer) procedures. ​ There are many different areas where biometrics are being deployed. For example in digital identity; an alternative to user names and passwords; protecting against ID theft; account takeovers and multiple accounts. ​ Mobile biometric authentication is helping to verify new and returning customers at the point of log-ins, payments and digital on-boarding.

See all

Now hiring