How Secure is SMS-Based Two-Factor Authentication?

Posted by Alex Misevski on November 17, 2016

With the current increase in digital crime and internet fraud, depending on passwords is no longer sufficient, and two-factor authentication is becoming a critical aspect of maintaining the security of mobile applications. In fact, a recent report indicated that more than half a billion online personal records were breached in 2015, and mostly through mobile devices. Therefore, strengthening the authentication process should be a priority of any mobile app developer.

How It Works

Two-factor authentication, as the name suggests, involves presenting two authentication credentials to ascertain the legitimacy of the user signing in to an iOS or Android app. It adds an extra layer of security by sending a random code to an individual’s device using an SMS message, which the user will input, along with a name and password, to gain access to his or her account.

When a mobile app user wants to log into his or her account, he or she will be prompted to validate with a unique username and password—which is the initial authentication layer.

Next, the two-step verification will require an additional procedure to reconfirm the user’s credentials. The most cost-effective procedure involves using either one-time-password (OTP) security tokens sent via SMS to the user’s mobile device or out-of-band (OOB) methods involving completing the authentication process over a different channel other than the primary one.

The purpose of the additional step is to discourage attackers who are trying to steal a user’s information by fraudulently penetrating their accounts. If you integrate dual factor authentication into your apps, a cybercriminal will require both the first verification process as well as the OTP to gain access to a user's’ credentials.

With the two-step verification technique, even if a hacker has retrieved a user’s username and password by exploiting a vulnerability in a mobile application, taking complete control of the account will be difficult because of the absence of the one-time-password, which must be sent as an SMS to the user’s mobile device. Consequently, this results in fewer security breaches and reduced total costs on interruption.

Read More

Topics: Security, mobile apps, SMS