Why using SMS authentication for 2FA is not secure
Is SMS authentication a secure method of two-factor authentication (2FA)? Learn about the risks, and explore alternative 2FA methods to secure system access.
Updated February 2, 2024Now that two-factor authentication (2FA) is a part of daily life, most of us have first-hand experience with SMS authentication. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
We all have access to cell phones, so it’s no surprise that SMS two-factor authentication is one of the most widespread types of 2FA, also known as multi-factor authentication (MFA). You don’t need any apps or digital keys, and it’s not tied to a specific ecosystem. Unfortunately, it’s not a secure MFA method (and Microsoft agrees).
The nature of SMS itself opens up your organization to a host of risks. Hackers have many ways to leverage SMS to find a way into your accounts and network. Below, we’ll look at four common attack strategies.
Hackers use good old-fashioned spoofing, often combined with phishing, to intercept and read your SMS messages. For those in the know, it’s basic tradecraft. This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access.
While some text messages are encrypted user-to-user (think iMessages between iPhones or WhatsApp messages) SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content.
By the way, if you want to check your phone’s security, use these codes to check if your phone is tapped.
Hackers also use standard phishing techniques to persuade users to install malware on their phones. The malware is meant to look for one-time SMS passcodes, as well as usernames and passwords for websites and apps on the device. Then, the malware sends the information right back to the attacker.
A more sophisticated method, SIM swapping can give hackers the virtual keys to your kingdom: control of your phone number. Through social engineering tactics, the hacker calls your phone company, pretends to be a victim, and activates a new phone with your number.
Before you even notice, the hacker will have breached any 2FA that uses your phone as a second authentication factor. The 2FA code gets sent directly to them.
It's a slick, simple technique. And it's one that everyone from individual hackers to criminal hacking groups use frequently. Just look at the $400 million cryptocurrency SIM-swap linked to the theft at FTX, or the arrest of a Florida man charged with SIM-swapping as part of the Oktapus hacker group, responsible for a chain of attacks on major U.S. tech companies in 2022.
Over the past few years, the uptick in remote work also sparked a trend of remote desktop protocol (RDP) attacks targeting SMS 2FA authentication. ESET telemetry’s research team reported a 768% increase in RDP attacks between the first and fourth quarters of 2020. More recently, attackers leveraged RDP vulnerabilities in 95% of attacks in the first half of 2023.
While many RDP attacks are brute-force attacks, hackers also use RDP in SIM swapping attacks to directly access internal phone company systems. First, hackers trick or bribe phone company employees into installing or activating RDP software. Then, they remotely dip into the phone company’s system and SIM swap individuals from inside the system. From there, they take over phone numbers, and the SMS authentications that go with them, until they’re caught.
Hackers can also simply pretend to be you to your mobile service provider. They obtain personal information from other sources to bypass any security questions and request a secondary SIM (they’ll claim the old one was lost, stolen, etc.).
Then, they intercept the shipment of the new SIM. Once you lose service on your own SIM, your number is under the control of the hacker, and they can request new SMS 2FA codes at will. It’s low-tech, but highly effective.
Another very low-tech but time-tested method is getting close enough to get a look at your phone. If you’ve enabled lock screen notifications, it’s all too easy to peek at passwords sent by SMS.
More recently, hackers are signing up for companies that help businesses to SMS marketing and mass messaging. For a small fee, they can reroute your SMS messages to themselves.
Forrester estimates that SMS 2FA stops only 76% of attacks. Although SMS is the least secure method of 2FA, there are thankfully other ways to enjoy the security benefits of 2FA with minimal hassle.
Many organizations opt for hardware authentication, which requires a dedicated physical device (like YubiKey or Token2) for account access. Sign in requires users to know and enter their credentials, then they are prompted to submit additional proof of identity by inserting the key and tapping it. While the device may be lost or stolen, it’s much more secure than SMS.
There are also several widely-used options for software authentication, which requires authentication via a mobile app (like Microsoft Authenticator or Google Authenticator). 2FA prompts generally offer a QR code that you can scan with your phone’s authenticator app. Then, the app generates time-based, one-time passcodes (TOTP or OTP), which refresh every 30 seconds. The user needs to enter their code within 30 seconds to gain access. The short time limit means that even if an attacker did gain access to your one-time password, it won’t work after just 30 seconds.
Similar to an authenticator application, push notifications also allow users to quickly approve 2FA from their smartphone. While attackers can try to take advantage of MFA fatigue to bypass 2FA using push notifications, there are ways to implement secure push and minimize this risk.
Increasingly, IP-based controls also play a role in if or how authentication takes place. Administrators can set up authorization controls based on IP address to determine whether or not to allow access, whether or not to prompt 2FA, or to determine what type of 2FA authentication to require. This is best when used as an additional security layer in combination with other forms of authentication.
Ultimately, phones are designed for convenience, not security. Using SMS authentication for 2FA is too much of a risk for organizations looking to effectively secure access to their network and systems.
UserLock makes it easy for organizations to use secure methods of 2FA that protect access across Windows logon, RDP, RD Gateway, VPN, IIS and cloud applications.