Skip to main content

Complete Guide to 2fa SMS

Complete Guide to 2fa SMS

Complete Guide to 2fa SMS

SMS 2fa

Henry Cazalet - Director, The SMS Works

A guide to 2fa SMS (two-factor authentication)

In recent years, SMS two-factor authentication has become increasingly common as way of adding additional security for accessing accounts and completing financial transactions.

Requiring an additional step, so that a user has to provide extra proof of their identity massively reduces the risk of an account being hacked or funds accessed.

While 2fa has its critics and is certainly not a silver bullet, it's far better to be using 2fa than not.

What is SMS two-factor authentication?

SMS two-factor authentication (SMS 2fa) is simply an extra layer of account security in addition to using a traditional password.

Its purpose is to make sure that someone trying to access an account or complete a transaction is who they say they are.
 
The underlying concept  behind SMS Two-factor authentication is a combination of the following factors:
 

  • Something you know - typically your account password
  • Something you have - Is the case of SMS 2fa, this is your phone
  • Something you are - This is for ultra-secure 2fa that uses your face, irises of fingerprint.

 
(The third element doesn’t apply when using SMS 2fa.)

How does a 2fa SMS service work?

Using 2fa SMS is a simple and straightforward process.

1. A user enters their username and password into the app or wedbsite.
2. If these details are correct, a unique code is sent to their registered mobile number by SMS.
3. The user then enters the code to gain access to an account or complete a transaction.
4. The unique code expires after a set period, typically 2 minutes or less.
 
If the user can't provide authentication beyond the password alone, they won't be allowed into the service they’re trying to log into.

Why do we need 2fa SMS?

In recent years,  there has been a massive rise in cyber crime. Organised criminals have developed ever more sophisticated ways of illegally gaining access to customer accounts.

While the level of crime has exploded, we’ve also seen countless examples of companies that have suffered massive data breaches. In many cases vast quantities of customer data, including credit card details have been stolen.

ICO logoDespite tougher data control measures brought in by the GDPR, The Information Commissioner’s Office (ICO) has handed out some colossal fines to companies that have failed to look after their customer data adequately.
 
2fa is a sensible response to these increased threats and protects consumers against cyber thieves and criminals.

In addition to being a necessary response to increased cyber threats, SMS 2fa doesn't really present any particular challenges in its implementation.

2fa SMS is easy to use
The user doesn't need to download any additional app or have any device, other than their phone. Almost everyone has their phone easily accessible and close to hand.

It's low cost
Unlike security keys, which require hardware and delivery costs, SMS 2fa is very low cost. The only running costs are for the delivery of the code by text, which are normally less than 3 pence.

Easy to set up
Many organisations already use an SMS gateway to communicate with customers and staff, so the addition of sending unique codes by texts isn't a difficult task.

 

Which companies provide an 2fa SMS authentication service

There are literally dozens of 2fa SMS API providers.
Here is a small selection designed to give you an idea of market pricing. 

We suggest that you choose a company whose head office is in the same country as you so that if you have support queries, they will be handled at a suitable time.

2fa SMS Provider

Country Based

Set Up Fee

Cost per 2fa SMS Sent in Pence

Twilio

US No 3.4

Nexmo

US No 3.1

Telnyx

US No 3.2

Text Magic

UK No 4.0

The SMS Works

UK No 2.9

SMS API

Poland No 3.1

Text Local

UK No 4.9

Plivo

US No 3.1

Text Anywhere

UK No 5.1

Bulk SMS

South Africa No 3.6

Mobivate

UK No 3.3

 

What are the security risks of 2fa SMS?

risks of using sms 2faAlthough using SMS for 2fa is far better than using nothing at all, there are some concerning security risks and weaknesses.

There are a number of ways in which criminals can intercept, phish and spoof SMS.

SMS spoofing

It’s perfectly possible for a code request text message to be sent to look as though it has come from a legitimate source. If the user then replies to the SMS with the correct code, then the fraudster will have access to the account.

SIM swap

By pretending to be the victim of a hacking attempt, a fraudster can activate a new phone on the number. Before the victim notices, the hacker will already have breached the 2FA.

Using this technique, thieves were able to convince Cloudflare’s phone provider AT&T to redirect phone and email, Account details were then accessed using a 2fa process.

 
There are a number of other ways that two way authentication might be insecure.
 

Messages containing passwords could potentially be intercepted by a trojan hiding in the phone itself and then sent elsewhere. 

If a mobile phone  has lock-screen notifications enabled,  then a password can easily be seen over the shoulder of the phone owner.

The SS7 protocol, which is used to transmit texts, has a basic  flaw, allowing sms messages to be intercepted.  

A sim card can easily be installed in another phone, which could potentially give someone access to sms messages containing 2fa codes.

So it's apparent that 2fa SMS isn’t perfect and as Chris Hoffman from How-to geek put it,

SMS isn’t the ideal solution. But, SMS-based two-factor authentication is much, much better than nothing.
Everyone should use SMS verification unless they’re using something better.

Chris Hoffman – Editor – How-To Geek

What are the alternatives to 2fa for SMS?

There are plenty of alternative methods to 2fa SMS.
Arguably they are more secure than SMS but have greater set up cost and are more hassle for the user.

App-Generated Codes 

There are dozens of 2fa apps avalable.
The most popular and trusted 2fa apps are.

1. Authy

Authy 2fa

https://authy.com/

Has the most features of all the 2fa apps but requires the account to be linked to a mobile number.
 

2. Duo Mobile

Duo logo

https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app

User-friendly, with no frills.

3. Google Authenticator

Google Authenticator 2fa

https://www.google.com/landing/2step/

It’s simple, easy to use and doesn’t have any complicated settings.
 
 

4. FreeOTP

FreeOTP logo

https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp

More flexible with a few more settings. Also very lightweight compared to other apps at just 750 KB.

 

5. Microsoft Authenticator

Microsoft authenticator 2fa

https://www.microsoft.com/en-us/account/authenticator

More features than Google and Duo Mobile’s app but still pretty minimalist.

 
 

6. Yandex.Key

Yandex.Key 2fa

https://yandex.com/support/passport/authorization/twofa-on.html

Very flexible and does not require registration. Loaded with features. 
 

 

Physical Authentication Keys

 
google titan USB keyA hardware security key or UTF key is an actual physical fob that acts as an additional layer of security for online accounts.
 
To work, the user simply inserts the security key into the device (or connects wirelessly by bluetooth) and presses a button on the security key itself.
 
The security key will then be presented with a challenge by the app, which it then signs and allows the user access to the account.
 
The most  popular security keys are..

Yubico
https://www.yubico.com/

Google Titan
https://cloud.google.com/titan-security-key

Thetis BLE U2F Security Key
https://thetis.io/products/thetis-ble-u2f-security-key

Email-Based Systems
 
Email 2fa is undoubtedly the least secure of the 2fa options. An email address is not tied to a specific device and has weak security protocols.

Email is often subject to delays which give a poor user experience and could result in the code expiring before it’s used.

2fa SMS – a pragmatic solution

2fa SMS is by no means perfect but it is arguably the quickest and easiest of the 2fa options for adding additional account security.

If fraudsters are very determined, then SMS does certainly have some security weaknesses. For the vast majority of cases these risks are very low indeed.

For these reasons, 2fa SMS remains a very popular solution. Until something that is easier to implement and lower cost comes along, it will remain a sensible option for many.
 

 

About the Author
smsw-admin
I'm a freelance designer with satisfied clients worldwide. I design simple, clean websites and develop easy-to-use applications. Web Design is not just my job it's my passion. You need professional web designer you are welcome.
Comments