SMS Two-Factor Authentication Is No Longer Enough

Posted on by Alisdair Faulkner

With the near-constant occurrence of highly organized and complex cybercrime attacks, effective digital authentication has never been more challenging. Businesses must verify who they’re transacting with by implementing additional security measures, but at the same time they need to minimize friction and provide seamless user experiences to avoid losing users to competitors.

SMS two-factor authentication (2FA) has proven effective in providing additional security, and by simply sending a one-time SMS to a trusted user’s device to ensure they’re the person transacting, it doesn’t introduce significant user friction. However the U.S. National Institute for Standards and Technology recently announced its recommendation that businesses phase out SMS 2FA. Why? In short, the cybercrime landscape is evolving so quickly that single-point fraud solutions are no longer enough.

Additionally, SMS 2FA can provide multiple avenues for fraudsters to exploit. Consider the following four examples of security gaps SMS 2FA can introduce:

  1. If the mobile device itself is the catalyst for the original fraud, and the fraudster has access to the stolen device and gains access to online accounts, the SMS verification would be delivered directly into the fraudster’s hands.
  2. Fraudsters can often convince mobile device operators to send a new SIM card via clever social engineering attacks, which would redirect the SMS 2FA messages to the fraudster’s own device.
  3. Given the insecurity of SMS messages, fraudsters can easily intercept them via device spoofing and SIM card cloning, accessing the SMS messages as soon as they are sent.
  4. Even though SMS 2FA does provide an extra layer of protection, fraudsters can circumvent this by tricking customers into installing SMS-forwarding software in order to authenticate fraudulent online transactions.

So what should businesses do? There are more secure versions of 2FA, such as strategies that involve hardware tokens, secure applications and/or biometrics. However leveraging hardware tokens and secure applications can cause additional friction, and biometrics—while often more secure—can cause numerous errors. 

To remain secure and ensure optimal user experiences, businesses should include 2FA strategies as a part of their overall security approach, rather than rely on 2FA as the sole, potentially risky endpoint. Below are three tactical tips for businesses looking to implement such a model:

  1. Separate the credential authority, registration authority and authentication components. In doing so, the integrity of the authentication process won’t be compromised at any point.
  2. Use a layered approach for authenticating user identities that’s built on a passive solution that works in real-time. This will prevent users from experiencing any unnecessary friction.
  3. Conduct risk-based models that tailor the level of authentication to individual users depending on how, why and where they are transacting, and whether this corresponds to expected behavior.

Executing effective digital authentication is no easy feat. Usernames and passwords no longer provide reliable security, and automated mass cybercrime attacks are hammering businesses daily. To combat cybercrime, businesses need to stop relying solely on SMS 2FA and instead implement a more cohesive, tiered approach to cybersecurity. By aggregating user information and global patterns, businesses can more effectively fight back against highly organized and determined fraudsters. And by gaining a better understanding of users and their unique online footprints, businesses can knit together trusted digital identities that fraudsters won’t ever be able to fake. 

Alisdair Faulkner

Chief Product Officer, ThreatMetrix

mobile security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community