Decades ago, Short Messaging Service (SMS) changed the world—by being a convenient, barrier-free, omnipresent, and desperately easy way for end users to chat about kids, pets, and shopping.
Intuition should tell you that any technology that can be described that way probably isn’t a great primary step for authentication flows. Even so, many organizations continue to use SMS codes to provide a multi-factor authentication (MFA) fig leaf at the lowest possible cost and complexity levels.
Worse, many still hold the misguided belief that SMS codes add considerable security. They don’t. Here are just some of the reasons why.
The SMS infrastructure and the link-level infrastructure that supports it are a hodgepodge of hardware, services, and organizational units that date to the 1980s. To jog your memory a bit, this is the era during which cleartext password storage—or even the use of birthdays and phone numbers in lieu of passwords—was commonplace.
SMS is an archaic soup held together by band-aids and updates. The attendant security problems from a technical perspective include:
Backdoors and exploits in infrastructure. The SMS ecosystem is riddled with state and vendor backdoors, unauthenticated touchpoints, and other naive design choices. The illicit mining of SMS traffic, once a hobby primarily of national intelligence agencies, is now a hobby of black hats of all shapes and sizes.
Limited, spotty encryption. SMS messages are commonly encrypted only at the last-mile link level, meaning that anyone able to compromise or spoof a handset identifier—or with employee-level access to Short Message Peer-to-Peer (SMPP) or Signaling System 7 (SS7) services—may have access to SMS cleartext.
Cleartext may be durably stored. SMS messages are not guaranteed to be ephemeral. Historically, they have remained durably stored at Short Message Service Centers (SMSCs) and other units for days or even weeks, often in cleartext, before erasure. Carriers continue to provide little transparency about their infrastructure and how it’s configured.
Vulnerable transmission over the last mile. Even in the most modern parts of the system—the handsets themselves—infrastructure spoofing is easy for anyone with technical knowledge to achieve. 2G, 3G, and 4G repeater and tower hardware have reached commodity saturation and easy gray-market availability.
Beyond the technical vulnerabilities, the very nature of the global SMS system—as a consumer-level service for casual communication—means that it isn’t well positioned for, and was never designed for, extensive use in authentication.
Non-technical vulnerabilities that can result from user activity, customer service concerns, or user experience motivations include:
In-band delivery. Mobile login users receive SMS codes on the same device being authenticated with no prior authentication. Thanks to the proliferation of Mac OS, Windows, and browser-based SMS apps from handset vendors and Voice Over Internet Protocol (VOIP) providers, the same is now often true of laptops and desktops as well.
Handset configuration for convenience. Frustration with two-step SMS authentication leads users to configure their handsets for convenient code access. In many cases, users opt to display codes on device-wake lockscreens. This is particularly easy to achieve on Android devices, where configuration and app selection are highly user-driven.
Service configuration for convenience. The lego-like nature of today’s cyber-universe enables codes to also be forwarded to email boxes, or to Evernote, or to any other tool the user feels is convenient. This is usually done with an eye toward more speed and lower friction, rather than more security in code management.
Device theft. With an in-band nature and users that intentionally compromise, rather than secure, their devices’ SMS capabilities, device theft becomes an SMS authentication risk. Phones and laptops are easy to steal and generally less secured than most organizations wish they were.
Number porting. Number porting is nothing short of a consumer-level social engineering exploit for SMS systems. Anyone with a few pieces of personal data or a persuasive telephone manner can port a target number to a blank SIM or handset. Make a call, tell a story, wait an hour, and you have control of any SMS identity—and the codes it receives in the future.
What This Means for Your Authentication Flow
Companies that add SMS to authentication flows to address the weaknesses of passwords just don’t gain much in the way of security. As a rule, SMS codes are less secure than passwords.
Does combining the two add an extra touch of authentication security? Yes.
Are SMS codes a brand of secure MFA suitable for primary use in authentication flows? Absolutely not.
And if that’s what your organization or application is using them for, you should find a new solution—stat. ■