Is it Time to Stop Relying on SMS for Multifactor Authentication?

Multifactor authentication is a way of authenticating to a device or software with a password plus another factor, usually one-time code or biometrics.  The easy way to think of it is “something you have and something you know.”

The most common form of multifactor authentication involves SMS messaging. After entering your password (something you know), the login will prompt you to enter a one-time code send to your SMS telephone number (something you have). 

The problem with using SMS for multifactor authentication is that SMS numbers aren’t always secure.  For one, SIM swapping has become a growing concern.  SIM swapping is a scam in which a fraudster will collect as many personal details about you as possible to the telephone company to port the victim’s phone number to the fraudster’s SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone. In many cases, the victim may not realize that their SIM has been compromised until they try to make a phone call.

Even more troubling is another hack as described by VICE columnist Joseph Cox. Cox had asked a hacker, known as Lucky225 to try and break into his accounts.  For $16, Lucky225 used a service called Sakari to reroute the messages to his phone.  “Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal. Except I never received the messages intended for me, but he did.”

Companies like Sakari are legitimate businesses. Cox writes, “for businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.” The worst part of this type of fraud is that you won’t even know it has happened to you. Cox’s phone still worked, his SIM card was active, but he received no text messages or phone number. Worse still, there was no confirmation text from Sakari to Cox to confirm that his number had been ported. Lucky225 did sign an LOA (Letter of Authorization) to be able to use the number.

Since the time Cox first reported on this story, the major U.S. mobile carriers have moved to close this loophole.  Aerialink, a communications company that helps route text messages, made the announcement on March 25th: “The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers.” The announcement adds that the change is “industry-wide” and “affects all SMS providers in the mobile ecosystem.”

So, what does this mean for using SMS Text messaging for multifactor authentication? While it is a good thing that the carriers are working to fix the loopholes, will it be enough?  Brian Krebs writes in his blog, “my advice has long been to remove phone numbers from your online accounts wherever you can and avoid selecting SMS or phone calls for second factor or one-time codes. Phone numbers were never designed to be identity documents, but that’s effectively what they’ve become. It’s time we stopped letting everyone treat them that way.” Instead, users should use a physical key, biometrics, or an authenticator app for multifactor authentication.