How Secure is SMS-Based Two-Factor Authentication?

Posted by Alex Misevski on November 17, 2016

With the current increase in digital crime and internet fraud, depending on passwords is no longer sufficient, and two-factor authentication is becoming a critical aspect of maintaining the security of mobile applications. In fact, a recent report indicated that more than half a billion online personal records were breached in 2015, and mostly through mobile devices. Therefore, strengthening the authentication process should be a priority of any mobile app developer.

How It Works

Two-factor authentication, as the name suggests, involves presenting two authentication credentials to ascertain the legitimacy of the user signing in to an iOS or Android app. It adds an extra layer of security by sending a random code to an individual’s device using an SMS message, which the user will input, along with a name and password, to gain access to his or her account.

When a mobile app user wants to log into his or her account, he or she will be prompted to validate with a unique username and password—which is the initial authentication layer.

Next, the two-step verification will require an additional procedure to reconfirm the user’s credentials. The most cost-effective procedure involves using either one-time-password (OTP) security tokens sent via SMS to the user’s mobile device or out-of-band (OOB) methods involving completing the authentication process over a different channel other than the primary one.

The purpose of the additional step is to discourage attackers who are trying to steal a user’s information by fraudulently penetrating their accounts. If you integrate dual factor authentication into your apps, a cybercriminal will require both the first verification process as well as the OTP to gain access to a user's’ credentials.

With the two-step verification technique, even if a hacker has retrieved a user’s username and password by exploiting a vulnerability in a mobile application, taking complete control of the account will be difficult because of the absence of the one-time-password, which must be sent as an SMS to the user’s mobile device. Consequently, this results in fewer security breaches and reduced total costs on interruption.

2-factor-authentication-2.jpgThe Authentication Factors


An authentication factor refers to a self-sufficient category of credentials used for substantiating the details of a user. Currently, there are three key groupings of authentication factors.

1. Something a user knows—for example, a PIN number, username and password, or response to a secret question
2. Something a user owns—for example, a mobile device, ID card, or any other physical device
3. Something a user is—for example, biometrics, fingerprint, or any other biological factor

In addition, for applications with more heightened security needs, location and time may be included in the fourth and fifth categories of authentication factors respectively. 

The traditional single-factor authentication relies on using only one category of credentials before a user can gain access to his or her account. The use of both usernames and passwords is the most popular type of single-factor authentication (something a user knows).

However, usernames and passwords can no longer be considered infallible and are usually breached. For example, attackers have the capability to test thousands of random passwords and crack 90 percent of employee passwords within six hours. Worse still, 65 percent of individuals use similar passwords on different places online. This is like having the same key to access your home, office, and car.

Furthermore, with the current proliferation of social media sites and the willingness of people to share details of their lives, getting answers to security queries is not difficult. Anyone checking your Facebook profile or other online records can easily find answers to common security questions, for example, the name of your favorite pet, your anniversary date, or the year you completed high school.

Security of Multi-Factor Authentication

The vulnerabilities of single-factor authentication make two-factor authentication useful and desired, especially among mobile app developers. Dual factor authentication involves using any two of the above three main categories of authentication factors.

Usually, developers combine the first two categories (something a user knows and something a user owns). This offers cost-effective additional protection to the user’s credentials, since it significantly lowers the ability of the attackers to grab the second verification factor.

Furthermore, the use of one-time-passwords also increases the security of dual factor authentication. The one-time-passwords are usually valid for only one login session and, if not used within a specific period, will expire. This way, only suitably authenticated users are allowed to gain access to important applications and data, resulting in enhanced security enforcements.

The third category (something a user is) is usually complicated to integrate into applications, and can lead to poor user experience. However, if your mobile app handles very sensitive customer details, it is recommended you include other robust authentication options, such as biometrics or finger scanning, together with the primary authentication factors.

Although it is demanding and expensive to implement, the third category of authentication factors will increase the sturdiness of your mobile applications, particularly in the wake of the recent report by the U.S. National Institute of Standards and Technology that claims SMS-based two-factor authentication could be vulnerable to security leaks.

Safeguard Your Mobile Application

SMS messaging for two-step verification is a secure means of safeguarding your mobile application from unauthorized attacks. Even though it is not the holy grail security technique, it requires a lot of effort, a bit of luck, and a number of variables working in the attacker's’ favor to compromise users’ passwords.

Therefore, you need to integrate two-factor authentication into your mobile applications, and reinforce the typical combination of usernames and passwords required to authenticate users.

Topics: Security, mobile apps, SMS