Here’s why businesses should avoid SMS authentication

Here’s why businesses should avoid SMS authentication

Multifactor authentication (MFA) is a powerful solution to protect your user accounts from cyberattacks. MFA adds one or more authentication requirements aside from a password, such as a one-time passcode (OTP), facial or fingerprint scan, app notification, or physical key. This way, even if a cybercriminal acquires one set of login credentials, they won’t be able to access the account without providing the other authentication factors.

The risks of SMS authentication

A commonly used authentication factor today is SMS authentication. This requires users to verify their identity by entering a one-time code sent via text message to their mobile number. While convenient, SMS authentication is not secure due to the following reasons:

1. Lack of encryption

SMS messages are not encrypted in any way, which means hackers can possibly see their contents. SMS-based one-time codes can also be easily stolen using common phishing tools.

2. SMS spoofing

In SMS spoofing, cybercriminals send text messages appearing to be from a reputable source by replacing their mobile number with alphanumeric text, such as a bank’s name. With that spoofed number, the cybercriminal can disguise themselves as an employee of that bank and ask their victim to provide an OTP to verify the latter’s identity.

Next, they will send an MFA request while trying to access the victim’s online bank account. If the victim provides the OTP, the criminal will be able to infiltrate the victim’s account and steal personal data.

3. SIM swapping

In a SIM swapping scheme, threat actors call a mobile carrier and pretend to be a subscriber who has lost or damaged their SIM card. They then ask the carrier to transfer a victim’s mobile number to a SIM card in their possession, effectively granting them access to OTPs and password reset links.

SIM swapping is one of the most effective ways to bypass SMS authentication. In fact, in April 2019, cybercriminals used this method to gain control of former Twitter CEO Jack Dorsey’s Twitter account and post offensive content. Weeks later, food writer and campaigner Jack Monroe’s phone was also hijacked, causing him to lose $6,772.

Which authentication factors should you use instead?

To protect your business, it’s important to use more secure MFA methods such as these:

1. Hardware authentication

These are security solutions that use physical devices to verify a user’s identity. Some examples include:

  • USB security keys: These are devices that are plugged into a computer to verify a user’s identity.
  • Fingerprint recognition: Fingerprint scanners work by capturing the patterns of valleys and ridges on a user’s finger and comparing it to a list of known fingerprints. If a match is found, the user gains access to an account.
  • Facial recognition: Facial recognition technology uses algorithms to record facial features from a video or image. It then compares the data with a list of registered faces to find a match and authenticate a user’s identity.

2. Software authentication

Software authentication verifies the identity of users using codes generated on apps like Microsoft Authenticator and Google Authenticator. This method does not rely on a mobile network or internet connection, making it a more secure authentication solution than SMS authentication.

3. IP authentication

IP-based authentication allows organizations to allow only login attempts from trusted IP addresses and block potentially malicious ones. It can be used with other authentication factors to improve account security. For example, if a login attempt is detected in an unknown or untrusted location, the system can ask the user to provide an OTP or a fingerprint scan before they are granted access.

As cyberattacks become more dangerous and prevalent today, you need the best security solutions for your Baltimore, Annapolis, or Towson business. NetQuest provides round-the-clock device and system monitoring to keep your accounts protected from cybercriminals. Request a FREE IT assessment today.


Various cybersecurity mistakes can result in massive data breaches. Learn how your business can avoid them with our FREE eBook.Learn more here
+ +