SMS 2fa

A guide to 2fa SMS (two-factor authentication)

In recent years, SMS two-factor authentication has become increasingly common as way of adding additional security for accessing accounts and completing financial transactions.

Requiring an additional step, so that a user has to provide extra proof of their identity massively reduces the risk of an account being hacked or funds accessed.

While 2fa has its critics and is certainly not a silver bullet, it’s far better to be using 2fa than not.

What is SMS two-factor authentication?

SMS two-factor authentication (SMS 2fa) is simply an extra layer of account security in addition to using a traditional password.

Its purpose is to make sure that someone trying to access an account or complete a transaction is who they say they are.
The underlying concept  behind SMS Two-factor authentication is a combination of the following factors:

  • Something you know – typically your account password
  • Something you have – Is the case of SMS 2fa, this is your phone
  • Something you are – This is for ultra-secure 2fa that uses your face, irises of fingerprint.

(The third element doesn’t apply when using SMS 2fa.)

How does a 2fa SMS service work?

Using 2fa transactional SMS is a simple and straightforward process.

1. A user enters their username and password into the app or wedbsite.
2. If these details are correct, a unique code is sent to their registered mobile number by SMS.
3. The user then enters the code to gain access to an account or complete a transaction.
4. The unique code expires after a set period, typically 2 minutes or less.
If the user can’t provide authentication beyond the password alone, they won’t be allowed into the service they’re trying to log into.

Why do we need 2fa SMS?

In recent years,  there has been a massive rise in cyber crime. Organised criminals have developed ever more sophisticated ways of illegally gaining access to customer accounts.

While the level of crime has exploded, we’ve also seen countless examples of companies that have suffered massive data breaches. In many cases vast quantities of customer data, including credit card details have been stolen.

ICO logo

Despite tougher data control measures brought in by the GDPR, The Information Commissioner’s Office (ICO) has handed out some colossal fines to companies that have failed to look after their customer data adequately.
2fa is a sensible response to these increased threats and protects consumers against cyber thieves and criminals.

In addition to being a necessary response to increased cyber threats, SMS 2fa doesn’t really present any particular challenges in its implementation.

2fa SMS is easy to use
The user doesn’t need to download any additional app or have any device, other than their phone. Almost everyone has their phone easily accessible and close to hand.

It’s low cost
Unlike security keys, which require hardware and delivery costs, SMS 2fa is very low cost. The only running costs are for the delivery of the code by text, which are normally less than 3 pence.

Easy to set up
Many organisations already use an SMS gateway to communicate with customers and staff, so the addition of sending unique codes by texts isn’t a difficult task.


Which companies provide an 2fa SMS authentication service

There are literally dozens of 2fa SMS API providers.
Here is a small selection designed to give you an idea of market pricing. 

We suggest that you choose a company whose head office is in the same country as you so that if you have support queries, they will be handled at a suitable time.

2fa SMS Provider Country Based Set Up Fee Cost per 2fa SMS Sent in Pence
Twilio US No 3.4
Nexmo US No 3.1
Telnyx US No 3.2
Text Magic UK No 4.0
The SMS Works UK No 2.9
SMS API Poland No 3.1
Text Local UK No 4.9
Plivo US No 3.1
Text Anywhere UK No 5.1
Bulk SMS South Africa No 3.6
Mobivate UK No 3.3


What are the security risks of 2fa SMS?

Warning symbol

Although using SMS for 2fa is far better than using nothing at all, there are some concerning security risks and weaknesses.

There are a number of ways in which criminals can intercept, phish and spoof SMS.

It’s perfectly possible for a code request text message to be sent to look as though it has come from a legitimate source. If the user then replies to the SMS with the correct code, then the fraudster will have access to the account.

By pretending to be the victim of a hacking attempt, a fraudster can activate a new phone on the number. Before the victim notices, the hacker will already have breached the 2FA.

Using this technique, thieves were able to convince Cloudflare’s phone provider AT&T to redirect phone and email, Account details were then accessed using a 2fa process.

There are a number of other ways that two way authentication might be insecure.

Messages containing passwords could potentially be intercepted by a trojan hiding in the phone itself and then sent elsewhere. 

If a mobile phone  has lock-screen notifications enabled,  then a password can easily be seen over the shoulder of the phone owner.

The SS7 protocol, which is used to transmit texts, has a basic  flaw, allowing sms messages to be intercepted.  

A sim card can easily be installed in another phone, which could potentially give someone access to sms messages containing 2fa codes.

So it’s apparent that 2fa SMS isn’t perfect and as Chris Hoffman from How-to geek put it,

SMS isn’t the ideal solution. But, SMS-based two-factor authentication is much, much better than nothing.
Everyone should use SMS verification unless they’re using something better.

Chris Hoffman – Editor – How-To Geek


SMS pumping fraud – A new threat to SMS 2FA

A relatively new menace could well threaten how companies use SMS 2fa on webforms.

SMS pumping fraud or artificially inflated traffic is a new type of fraud that targets webforms with weak security features.

Fraudsters identify web forms that use SMS 2fa for the account sign up process. They then flood the form with large volumes of bogus account sign ups, generating huge numbers of automated 2fa texts.

The fraudsters benefit from taking a revenue share from the mobile network for submitting traffic to them. The return on each text generated is tiny, so the volume of generated text needs to be huge for it to be worthwhile.

The solution is to tighten up the account verification process to detect and halt any attacks. There are more details on this in the article linked to above.

What are the alternatives to 2fa for SMS?

There are plenty of alternative methods to 2fa SMS.
Arguably they are more secure than SMS but have greater set up cost and are more hassle for the user.

App-Generated Codes 

There are dozens of 2fa apps avalable.
The most popular and trusted 2fa apps are.

1. Authy

Authy 2fa

Has the most features of all the 2fa apps but requires the account to be linked to a mobile number.

2. Duo Mobile

Duo logo

User-friendly, with no frills.

3. Google Authenticator

Google Authenticator 2fa

It’s simple, easy to use and doesn’t have any complicated settings.

4. FreeOTP

Free OTP logo

More flexible with a few more settings. Also very lightweight compared to other apps at just 750 KB.

5. Microsoft Authenticator

Microsoft Authenticator 2fa

More features than Google and Duo Mobile’s app but still pretty minimalist.

6. Yandex.Key

Yandex key 2fa

Very flexible and does not require registration. Loaded with features. 

Physical Authentication Keys 

A hardware security key or UTF key is an actual physical fob that acts as an additional layer of security for online accounts.
To work, the user simply inserts the security key into the device (or connects wirelessly by bluetooth) and presses a button on the security key itself.
The security key will then be presented with a challenge by the app, which it then signs and allows the user access to the account.
The most  popular security keys are..


Google Titan

Thetis BLE U2F Security Key

Email-Based Systems
Email 2fa is undoubtedly the least secure of the 2fa options. An email address is not tied to a specific device and has weak security protocols.

Email is often subject to delays which give a poor user experience and could result in the code expiring before it’s used.

2fa SMS – a pragmatic solution

2fa SMS is by no means perfect but it is arguably the quickest and easiest of the 2fa options for adding additional account security.

If fraudsters are very determined, then SMS does certainly have some security weaknesses. For the vast majority of cases these risks are very low indeed.

For these reasons, 2fa SMS remains a very popular solution. Until something that is easier to implement and lower cost comes along, it will remain a sensible option for many.

author avatar
Henry Cazalet Managing Director
Co-founder and Director of The SMS Works, a low cost and powerful SMS API for developers. About Henry