How Secure Is SMS-Based Two-Factor Authentication?

With growing concerns about fraud, and an increased number of interactions with consumers via mobile devices, organizations are working to improve their identity verification processes. For many companies, this means relying on two-factor authentication through the sending of an SMS text message.

How secure are these communications, and do they work to deter and eliminate fraud? Understanding current fraud trends allows you to see favorite methods for fraudsters so your organization can keep the authentication process secure, and ensure only legitimate customers gain access to products and services.

Threats to SMS Security and Viability
While the idea behind two-factor methods of authentication is well-intentioned, new technology has unfortunately outpaced it in terms of usefulness. Companies using this method often send a unique key to a person’s device using an SMS message that the user will input along with a name and password to gain access to their account. However, the U.S. National Institute of Standards and Technology recently updated its Digital Authentication Guidelines to advise that SMS is not secure during authentication. The guidelines now say “Out-of-band verification using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

One of the main reasons for this update is a 2013 Black Hat Conference presentation that demonstrated a mobile device can be manipulated using SMS in a matter of minutes. According to an article published by the Times of India at the time, expert cryptographer Karsten Nohl exploited weak encryption methods used by SIM cards to install malicious applets and code that granted access to sensitive information.  When it comes to businesses using SMS for authentication, fraudsters could intercept messages intended for a legitimate customer and use the information to steal his or her identity. How can your organization ensure its authentication process is secure?

Recommendations for Stronger Authentication
One recommendation made by NIST for stronger authentication is to pair unique keys with biometrics to verify the identity of a customer. However, this is not always practical. Companies can also work around these methods without compromising security by developing strong mobile identities for users. IDology’s ExpectID Mobile solution utilizes a mobile identity based on a person’s device that has a persistent connection directly with mobile network operators.

This mobile identity is comprised of multiple mobile-specific and identity attributes, and is verified in real time, ensuring that your business can process transactions more efficiently while deterring fraud and reducing friction for legitimate customers.  The mobile identity persists for hundreds of customer events, such as device replacements, SIM changes, lost phones, and more. Once an identity is established, the platform makes it easy to validate it, making more informed decisions to pass, fail, or escalate transactions as necessary.


Using mobile identities for customers eliminates the need for SMS authentication and, with it, the chance that a fraudster can steal information from text messages sent. Strengthen your authentication measures and ensure customers are who they say they are.
For more information about mobile identities that don’t require two-factor authentication, contact an IDology representative today at (866) 520-1234.



Filed Under: Blog

News & Events

Upcoming Events