Back to overview

How secure is SMS-based 2FA?

   20.11.2019   authentication, authentication, MFA, security measures, mTan
smartphones sending and receiving messages | © Irina Strelnikova

SMS are still widely used as the second factor for strong authentication (mTAN). Find out in this blog post why this can lead to ever more problems.

  1. SMS are increasingly used for advertising purposes, as they are virtually free of charge. Providers are reacting to this by no longer delivering SMS from abroad or SMS via the Internet to their customers or only allowing SMS from GSM networks. 
  2. Smishing (= phishing, i.e. fraud by SMS), allegedly from a trustworthy source that is intended to persuade the recipient to disclose personal information, is also becoming more widespread.
  3. 1) und 2) causes SMS that are not sent out from a valid mobile number to be increasingly blocked by providers. It is now impossible to use a hotline number or a text as the sender.
  4. SMS offers no guarantee in terms of delivery time. When you are just about to log in, this is very inconvenient.
  5. Network operators negotiate roaming contracts with each other so that SMS can be sent across the network boundaries of their own service providers. For SMS reception abroad, however, these contracts can become pitfalls. Providers change and not all of them have roaming contracts with each other. At the same time, telecommunications companies are selling SMS messages "en wholesale" to SMS service providers at rock-bottom prices. They send the SMS via the cheapest way. This means that in many situations it is unclear which route the SMS will take, which makes troubleshooting difficult. If the SMS do not arrive, it is usually because the SMS service provider tries to transmit its SMS via a telecommunications company that does not have a roaming contract with the sender.
  6. SMS can be hacked. On the one hand, the GSM protocol is inherently insecure. SMS from third-party numbers can be sent without much effort or special knowledge and without the recipient noticing. In addition, a second SIM card can be created for the same mobile phone number, which will also receive all incoming text messages. There are also apps that read and forward incoming SMS messages without the knowledge of the mobile phone owner.

For the above reasons, we can no longer recommend SMS, i.e. mTAN, as a 2FA method. 

However, it must also be pointed out that SMS-based authentication is still more secure than no two-factor authentication at all.

Fortunately, there are now many other techniques that provide the 2nd factor through better means. An OTP, i.e. a one-time password, such as the one from the Google Authenticator as 2FA, costs nothing, is easy to configure and works on multiple devices.

Our IAM solutions support a variety of additional options for the second factor: RSA-Token, E-Mail-OTP, Kobil SecOVID, Swisscom Mobile ID (Mobile Signature Services), Client certificates such as X.509 or SwissID, OneSpan (VASCO) Digipass as well as CRONTO Visual Transaction Signing and FUTURAE Authentication Suite.