Don't use SMS for Multi-Factor Authentication (MFA)
Last updated on: 18/08/2022What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is an additional step users need to complete before they login, it compliments their username and password. User credentials are compromised on a daily basis so additional authentication methods were created to keep accounts secure. MFA has greatly reduced accounts getting compromised and should always be used in a personal and professional environment.
After you enter in your username and password you will typically need to enter a one-time password (OTP) to complete log in. One-time passwords are cryptographically generated based from a secure token and the time; they only work in a small time window (typically 90 seconds).
One-Time Passwords (OTP)
One-time passwords are either sent to you via SMS or you create them from your mobile authenticator app on your Android or iOS device. A hardware based token dongle will also generate them for you. The mobile app and the dongle create OTP from a secure token stored within them and the current time. SMS OTP are created by a remote server and sent over the cellular network to your phone.
There are fundamental differences between each of these methods:
| SMS / Text Message | A remote server generates the OTP and then transmits this to you over your cellular carrier's network. |
| Mobile Authenticator App | You can use the authenticator app on your mobile device like Google Authenticator to store tokens and generate OTP. |
| Hardware Token Dongles | Physical dongle that holds the secure token and can generate OTP |
Mobile Authenticator Apps
Mobile apps like Google Authenticator can scan QR codes from the services offering time-based one-time password (TOTP) MFA. The QR code contains a cryptographic token that the app stores on your device. Using this token and the current time it can generate the 6-digit number that you can then use to log into the service.
Once you have configured MFA for the service the token is stored on your device for future use. If you delete the token off your phone or your device is lost you will no longer have access to the service.
When you login and send the 6-digit number the service will check it against it's own token and the current time to determine if it's valid. Because this calculation is based on time it's only valid for about 90 seconds.
Mobile based authenticator apps offer the best compromise between security, cost and usability. There are alternatives to Google Authenticator such as open-source Aegis Authenticator for Android or Tofu Authenticator for iOS
Hardware Token Dongles
Hardware token dongles are physical devices that function in a similar manner to the mobile authenticator apps. The token is stored within the hardware and a screen displays the OTP. Hardware dongles are considered more secure than mobile devices as they are harder to hack than Android or iOS. It costs a lot more to operate a fleet of these devices and is commonly found in large organizations.
SMS / Text messages
The SMS method is the least secure and most problematic implementation. A remote server generates a code and then sends it to the user’s cellphone via the user’s carrier network. The only advantage this method has is that the user only requires a valid cellphone number. We don’t recommend use of this method.
Delivery Issues
Sending SMS messages is a best effort service but there is no guarantee that the message will ever arrive. When users cannot retrieve their password you will have a frustrated user who cannot log in, and possibly a customer service request that could have been avoided.
Android and iOS devices have spam filters that can come from factory or be installed by the user, and they commonly block messages from services such as Twilio or ClickSend. Carriers can also drop SMS messages based on congestion, network conditions or if they are having a bad day.
Security Issues
The most common attack vector on SMS based MFA is when a hacker calls the users provider and impersonates the user. They tell the operator that their phone was lost and to transfer their number to a new sim card they are in possession of. Once the carrier has transferred the number the hacker will then receive the text message containing the OTP and be able to login.
Conclusion
We recommend you disable SMS based MFA both personally and professionally. Mobile bases authenticator apps are easy to use, reliable and secure. If you have an application and you don’t have any MFA options available, we recommend you use the mobile based authentication apps as the method. LikeFury has implemented this technology many times and can help you with consulting and implementation.