David Balaban December 28th, 2020

Why SMS Is Not Good for Multi-Factor Authentication (MFA)

The fact that passwords alone are not effective enough anymore gave rise to more advanced alternatives, including passwordless sign-in techniques that involve biometrics or hardware tokens.

The classic forms of multi-factor authentication (MFA) are somewhere in between. Despite a good deal of criticism, they pose a decent way to access web accounts securely, enhancing the authentication logic with an extra factor such as a verification phone call or a one-time password (OTP) sent to a smartphone.

While undoubtedly working better than static passwords that can be guessed or brute-forced in a snap, MFA via text messages has its downsides. The major weak link is that it hinges on public switched telephone networks (PSTN) whose architecture is inherently vulnerable to a handful of well-trodden exploitation methods. The same goes for GSM networks, which are categorized as elements of the broad PSTN ecosystem.

The booming MFA adoption will encourage malicious actors to focus on breaking these mechanisms, and SMS-based authentication could turn out to be the lowest-hanging fruit in this area. It is susceptible to all common types of credential compromise: social engineering, phishing, account hacking, malware, you name it. Furthermore, device theft has particularly adverse implications here.

The cons of using MFA via SMS

The following paragraphs highlight the main pitfalls of opting for SMS as an authentication factor.

Low flexibility

Since a plethora of telecommunication appliances are designed to receive messages over PSTN networks, these messages’ format is strictly unified to ensure maximum support regardless of the receiving device.

It means that there are hardly any options to extend the functionality of SMS in terms of MFA beyond submitting a short OTP. Innovation is a misnomer in this context because we cannot possibly enhance the security and features of the traditional text message framework.

Dismal protection of data in transit

Neither the SMS protocol nor its voice counterpart involves encryption. This peculiarity stems from the obvious usability criteria: these messages would not be human-readable if their contents were encrypted. Pair that with the risk of SMS or calls being intercepted by threat actors within the radio range of a phone, and the risk escalates considerably.

Here is some extra food for thought: telco networks interact with one another through the Signaling System 7 (SS7) telephony protocol. It was developed back in 1975 and continues to be in use around the world, failing to address the current security and privacy challenges.

There are devices and services that allow for eavesdropping on these networks, as is the case with the SS7 intercept scheme, the use of fake cell towers, and a technique that weaponizes femtocells whose original purpose is to enhance the cellular signal. To top it off, criminals may be able to get unauthorized access to the switching network infrastructure and therefore tap on phone traffic without even having to be nearby.

Social engineering can play its evil role

Modern telco systems are backed by huge customer care infrastructures. This hallmark exposes PSTN services to vulnerabilities that revolve around the human error. Manipulating a customer support agent could be easier than hacking software. A little bit of charm or outright bribery could pave an evildoer’s way toward tweaking some configurations or obtaining sensitive information that belongs to the would-be victim.

A particularly adverse situation kicks in if the attacker knows the phone numbers of contacts the person has been calling the most, plus some personally identifiable data (PID) such as the social security number. By providing these details, the impostor may hoodwink the provider company into rerouting the victim’s text messages to the wrong SIM card.

To add insult to injury, this trickery could lead to SIM duplication if the crook manages to convince the support agent to issue another card with the same number because the current one has been lost or damaged.

Account takeover

Most mobile carriers allow their customers to create online accounts that can be used to enable or disable services, modify settings, and review phone usage statistics. A clever phishing hoax may enable a perpetrator to hack a person’s online account. For instance, the victim may be redirected to a fake login form and instructed to enter their username and password – obviously, these credentials instantly go to the malefactor. In this scenario, the crook can turn on SMS or call forwarding to intercept OTPs used for authentication.

Rogue recovery

MFA systems based on text messages usually provide a recovery option that helps users continue to use secure authentication if they lose their phone or change the number. This feature mostly works via email. If a malicious actor obtains access to your email account, they can abuse the recovery functionality to specify a fake phone number for verification. In the aftermath of this foul play, OTPs will be submitted to the criminal.

Mobile carrier slip-ups

No matter how progressive a specific PSTN system is, it is prone to message delivery and reporting failures. Depending on the region and network equipment being used, a certain percentage of text messages never arrive at their destination. The unsuccessful delivery rate can be as low as 50% in some areas.

MFA services have no way of knowing that a message did not get through and therefore must hinge on statistical network-specific data to identify issues. This is a shot in the dark to an extent. By and large, if you are using SMS to receive OTPs for authentication, you cannot be confident that the message will make it to your device.

Regulatory factors

Since SMS spam is a growingly common phenomenon, regulators have imposed requirements regarding message content and transmit rates. Whereas these are effective initiatives when it comes to pulling the plug on fraud campaigns that involve texts, they may entail delivery outages and even prevent MFA messages from ever reaching the intended recipients. Given that OTP codes are typically valid for a limited amount of time, your authentication experience might go down the drain if the SMS delivery is delayed or the message is filtered.

Narrow context

The amount of information that can be transmitted over SMS is strictly limited. The standard maximum length is 160 characters. If GSM encoding is not being used, the limit goes down to 70 characters. Practically speaking, it means that MFA providers cannot provide any additional authentication context to thwart phishing and other exploitation vectors.

What about the alternatives?

It goes without saying that multi-factor authentication is turning into a must these days. The right question you need to ask yourself is not “Should I use MFA?” It is “Which MFA method should I use?”

With the serious downsides of leveraging SMS for multi-factor authentication coming to the fore, there are more reliable methods that can take the security of your sign-in routine to the next level. For example, you can opt for biometric techniques where available.

App-based authentication is growingly popular across the board, too. Some services are marketing it as a cure-all that eliminates the loopholes intrinsic to text messages. This technique employs encryption, ensures a hassle-free user experience, and provides sufficient context to fend off different types of abuse.

However, authenticator apps have a few disadvantages. If you lose or change your phone, you will not be receiving OTP codes until you reinstall the app and register the new device with the MFA provider. If MFA through SMS is enabled, the authentication process would not be interrupted in such a scenario.

Furthermore, secure sign-in using a specially crafted app is mainly a matter of tapping or clicking “Yes” or “Allow” on an authentication request pop-up. The fundamental problem with this mechanism is that most people are naturally inclined to green-light such requests without a second thought. If an attacker is trying to access a person’s account, the slightest lack of vigilance could be a recipe for a takeover.

These caveats make app-based authentication a double-edged sword. It is more reliable than its SMS counterpart, no doubt, but it is not immaculate. That said, it seems that the silver bullet for secure MFA has yet to be masterminded.


Photo by Roman Pohorecki from Pexels

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Leave a Reply

Your email address will not be published. Required fields are marked *