SMS authentication is a method of enforcing two-factor authentication (2FA) via text messages. 2FA is a form of multi-factor authentication (MFA) requiring users to complete an additional identity verification step to log in to their accounts. With SMS authentication, users receive a text message with a unique one-time password (OTP) that they need to enter along with their username and password.
SMS authentication is particularly common for applications involving consumers or external users.
Organizations, applications, and services implement SMS authentication to better ensure access remains restricted to authorized individuals, keeping their systems and data secure. It helps prevent breaches resulting from poor password management (like written-down passwords or weak passwords), brute force attempts, and other cybersecurity attacks.
How SMS authentication works
As the name implies, SMS authentication works by sending an OTP to the user’s mobile device via text message—typically a numeric code. To eliminate the vulnerability of traditional static passwords, this code is dynamically generated after you’ve completed the first login step.
2FA requires users to provide two distinct “factors” that prove their identity. In this case:
A knowledge factor: Passwords, PINs or other security information—representing “something you know.”
A possession factor: The SMS OTP represents “something you have.”
The login attempt will fail if the user doesn’t provide both factors.
The SMS authentication process
For users, the basic SMS authentication goes like this:
A website or application prompts a user to log in to their account.
After submitting their username and password (i.e., “something you know”), it then prompts the user to provide an OTP in another field. At this point, the user does not have the OTP.
The OTP is dynamically generated at that moment and delivered to them via SMS. The OTP and mobile device—in combination—now function as a possession factor (i.e., “something you have”).
The user checks their mobile device for a text containing the OTP and enters that value in the required field. The authentication process should establish a short window where the OTP remains valid.
After confirming the OTP or PIN code, the user is logged in and granted access. Additionally, the OTP or PIN code is automatically invalidated for future use, preventing malicious agents from using it later on to gain unauthorized access.
Read more: What Is Time-Based OTP?
Who uses SMS authentication?
Organizations utilizing SMS authentication for their 2FA process typically provide services to external users (e.g., customers). For example, the financial industry (e.g., banks, credit card companies, investment firms) commonly uses SMS authentication to better secure account holder access. Similarly, organizations that store external users’ personal or sensitive information (e.g., healthcare) also implement SMS authentication.
Benefits of SMS authentication
All MFA methods provide inherently increased security over traditional login processes that only require a username and password. Compared to other MFA methods, the primary benefit of SMS authentication is that organizations regard it as an acceptable and pragmatic tradeoff between adoption likelihood, management ease, and security.
SMS authentication remains common for organizations that manage external users for this reason. They could implement more robust MFA processes, but these generally require one of the following:
Dedicated authenticator applications – Users may be less likely to download a separate application to their smartphone. According to one poll, 86% of users reported using SMS authentication, whereas only 52% use an authenticator app. As a result, this method is more common for employees provided with a mobile device by employers that mandate they use the app.
Physical tokens (e.g., stored on USBs) – Delivering and managing physical tokens for individuals outside the organization is not realistically feasible. They may be lost or stolen, representing a significant security risk. Like authenticator apps, organizations generally provide physical keys to employees only.
Biometric authentication – Users may be reluctant to provide biometric data to organizations out of concern for their personal privacy and security—which is, in fact, just a common misconception.
Organizations that make their MFA process too cumbersome or too difficult to manage will see decreased adoption or increased risk, respectively. In contrast, SMS authentication provides external users and organizations with somewhat enhanced security paired with optimal convenience:
The OTP is sent to a device they already use frequently and likely keep nearby when logging in to accounts. Individuals may be logging in to their accounts on their smartphone’s web browser, enabling some push functionality that bypasses the user typing the OTP. 68% of users enable SMS authentication push functionality.
Text messaging is a virtually ubiquitous messaging format:
92% of adults in the US own a text-enabled phone.
98% of smartphone owners text regularly.
Individuals commonly have unlimited texting with their cell phone plans, so SMS authentication doesn’t cost them anything.
Therefore, although regarded as less secure, organizations generally employ SMS authentication because they consider the broad adoption of a less robust MFA method as better than none at all.
But is SMS authentication actually secure?
Although more secure than exclusively relying on traditional user credentials, security vulnerabilities persist with SMS authentication. Malicious agents can intercept SMS-delivered OTPs via:
SIM swapping – Malicious agents may convince a phone company to port a user’s subscriber identity module (SIM) number to their device via impersonation. This drops the user’s device from the network and redirects all messaging communications to the malicious agent—including OTPs sent via SMS.
“Man-in-the-middle” attacks (MITM) – Accessing a public key used for message encryption enables malicious agents to intercept the OTP and change what the user receives.
Lost or stolen mobile devices – With the mobile device acting as the possession factor for SMS-based MFA, malicious agents possessing the user’s cell phone present a significant vulnerability. That said, it’s much less likely for a phone to be stolen than for a password to be stolen.
Because of these vulnerabilities, the National Institute of Standards and Technology (NIST) recommended deprecating SMS authentication in 2016—or, declaring the method as “on its way out.” As an alternative, organizations can employ the methods listed above:
Dedicated authenticator apps
Physical tokens
However, with the adoption and management issues related to each, the ideal solution involves developing a widely adopted authentication platform across applications.
Auth-some & secure authentication for your app
Developing a universal authentication platform for app developers that meets the pragmatic needs of organizations and their users remains a top priority for the tech industry. Yet, whether you’re thinking of implementing SMS authentication or a more robust solution, doing it in house while ensuring it’s meeting all security requirements can put a serious strain on your resources.
So if you’re looking to easily implement SMS authentication or explore a more secure passwordless authentication method, sign up for Descope’s developer-first authentication platform and join AuthTown—our community for developers, entrepreneurs, designers and other authentication stakeholders to learn and discuss better authentication.