Security is a concern for every business. One key aspect of security is authentication. Before letting someone access data or other resources online, most organizations require users to log in — to authenticate themselves using credentials that the organization knows about. Most organizations employ usernames and passwords, and have done so since the dawn of computing.
Passwords, however, are insecure. Sometimes people use guessable passwords, like their pet’s name or the date of their wedding. Sometimes the passwords people use are too short, which could allow a brute-force hacking tool to guess the password. Some people (not you, of course) post their passwords on sticky notes near their computers, making it easy for others to find them and potentially pass them on to people who shouldn’t have them. And even when people follow all of the recommended best practices for creating strong passwords, those passwords can be stolen or discovered through social engineering.
Organizations can improve authentication security by using multifactor authentication. A factor, in authentication terms, can be
- something you know, such as a password
- something you have, such as a device — a software or hardware token
- something you are, such as a fingerprint, faceprint, or some other biometric characteristic
The latest recommendations from the National Institute of Standards and Technology (NIST) call for the use of multifactor authentication (MFA) — requiring, for instance, a password plus the use of something you have. When you require users to use multiple factors, you drastically reduce the chance of authentication credentials being compromised. Even if hackers get ahold of one factor, such as a valid username/password combo, it’s unlikely that they’ll have access to a second factor.
One of the easiest ways to implement two-factor authentication (2FA) via one-time passwords (OTP) sent via SMS to a device that your organization knows is associated with a particular user. The phone serves as something you have. Cellphones are convenient — the Pew Research Center in 2021 reported that 97% of Americans have cellphones, so this approach doesn’t require anyone to carry a separate hardware device. Most people are already familiar with the process; it’s quick and easy, and though people may find 2FA a little annoying, they generally understand its value. All cellphones can accept SMS messages, so users don’t have to download and install an unfamiliar authenticator application.
SMS verification works like this:
- Someone logs in to a remote server with a username and password.
- The server checks the username and password. If they don’t match those of a known user, the server denies the person access.
- If the credentials do match, the server generates a one-time password (OTP) and sends it to the user via SMS message.
- The user enters the OTP on a login screen. If it’s correct, the server grants access.
Advantages of SMS verification
SMS verification is more secure than passwords alone. By adding a second factor, SMS authentication makes it more difficult for bad actors to steal credentials and hack accounts. Getting a text message sent directly to their handheld devices, which they already carry around, is about as convenient as possible for the users. And if a user lacks a device capable of receiving SMS, most authentication systems will send passwords by voice as an alternative.
Disadvantages of SMS verification
At the same time, SMS verification comes with a few disadvantages. For one thing, it’s possible for users to lose their phones or neglect to carry them with them, locking them out of systems and resources that they need.
A more significant disadvantage is the cost to an organization of sending text messages for each authentication transaction. Even if an outbound text message costs only half a cent, those costs can add up. Most organizations consider 2FA messaging a cost of doing business, since the cost of unauthorized access to systems and accounts can be far greater.
If a hacker has physical access to someone’s phone, the “something you have” factor is compromised. And hackers don’t necessarily need to hold the phone in their hands. Attacks such as SIM swapping or SIMjacking and social engineering of mobile network operators’ staff can gain hackers access to SMS messages sent to users’ phones. If a hacker gets both password credentials and the second authentication factor, there’s no keeping them out of targeted systems.
Finally, there’s a privacy issue — for SMS verification to work, an organization has to have access to someone’s phone number. While it’s reasonable for an employer to request its employees’ numbers for 2FA, consumers might balk at registering for an account and providing contact information before they can access resources. People aren’t always willing to share that information. Storage of user identification data should be governed by a published privacy policy.
Nevertheless, despite possible drawbacks, SMS verification in the form of OTPs for 2FA is an effective approach to enhancing authentication.