Do you use SMS two-factor authentication? Discover why, despite its general popularity with users, it’s one of less-preferred methods by IT security professionals. Explore the best alternatives available on the market that’ll guarantee you the maximum level of security and privacy

79% — this is the percentage of respondents to Duo’s 2021 State of the Auth Report using two-factor authentication. 85% of them have opted for short message service (SMS) text messages as their preferred second factor, which sounds good on the surface but may not be ideal where security is concerned.

Lots of organizations consider two-factor authentication as the silver bullet for secure logins. But does it really live up to that perception? It depends on the method chosen. And the SMS two-factor authentication isn’t one of the more secure options.

Welcome back to the second article of the series about SMS two-factor authentication. In our first article, we’ve learned the reasons why SMS security concerns are a bigger issue than most people realize. Now, we’ll delve into the problem more in depth and explore in detail the alternative solutions available. Grab your pumpkin-spiced latte and let’s get started. 

What Is SMS Two-Factor Authentication? A Quick Recap

Two factor authentication is a form of multi-factor authentication, meaning that it requires you to provide two identifying elements to verify your identity. This can be something you know, something you have, or something you are. (Note: 2FA differs from two step verification, although people often conflate the two.)

“A text message with your code has been sent to…” I’m sure many of you have received a message like this one. It’s an example of a message users may see when logging in to your website or app when they’ve enabled SMS two-factor authentication. With this process, users are required to provide two different authentication factors:

  • The traditional username and password (something you know), and 
  • A four- or six-digit code, delivered to the user by text message (something you have).

In an ideal world, the SMS two-factor authentication process provides an additional layer of security that protects the account from malicious attacks. How? By forcing the user to prove their identity with something they own (i.e., their mobile phone) after they enter their username and password. Again, in an ideal world, this should help reduce the chance of a cybercriminal gaining access to the account.

A graphical overview of how SMS two factor authentication works to allow users to authenticate using SMS text messages
Image caption: The graphic shows a basic overview of how SMS two-factor authentication works.

OK Alice, time to leave the Mad Hatter and Wonderland behind and come back with me to the real world. Because here, SMS two-factor authentication isn’t as secure as it seems. What’s wrong with it? This is what we’re going to discover next.

What’s the Problem With SMS Two Factor Authentication?

in the real, non-ideal world, cybercriminals are wreaking havoc. They’re hacking 2,521 credentials every 60 seconds, and scoring a total of 108.9 million breached accounts in Q2 2022 alone. We live in a world where attackers are getting smarter, complex passwords are being cracked, and SMS hijacking and interception has become child play. Because, as already highlighted in our previous article, an SMS text message:

  • Is an outdated solution. Created in 1984, the first SMS was sent in 1992 through the signaling system 7 (SS7) cellular network. Today, nothing has changed. SMS still use the same, highly vulnerable SS7 protocol and they’re sent (and stored), as 30 years ago, as plain text. And, if you run a search on Google, you’ll find out that there are even guides explaining how to hack this protocol and eavesdrop on your messages. LOL, as we would write in an SMS.
  • Is vulnerable to malware-based attacks. Have you ever heard of the group Rampant Kitten? No, it isn’t a girls’ rock band. It’s a hacking group identified in 2020 that developed an Android malware to intercept and steal SMS two-factor authentication codes. Because once your phone is infected with a malware like some Trojans (e.g., Zeus, Citadel also including a keylogger, or Zitmo) that are specifically built to intercept OTPs, getting hold of your SMS is easy as pie.
  • Is vulnerable to man-in-the-middle (MITM) attacks and phishing. OK, SMS are unencrypted because they’re sent via an old vulnerable protocol with as many holes as a colander. What are the chances that a malicious third party could intercept or read the message sent? Pretty high. They could use the same MITM attack technique used to intercept data transfer on the internet. Or, they could use a phishing attack and exploit vulnerabilities in the SMS account recovery process to get hold of the verification code. That’s what they did with Coinbase in 2021. More than 6,000 accounts were hacked.
A graphic that illustrates how SMS two factor authentication is susceptible to SMS phishing attacks.
Image caption: This is an example of how an attacker can get hold of your credentials through phishing, and exploit flaws in the SS7 protocol to access your organization’s website. Yes, this can occur even with SMS two-factor authentication activated.
  • Is vulnerable to social engineering attacks. Yup, people are always the weakest link. Social engineering attacks are easy, and they don’t require any technical skill. A cybercriminal just needs to find out some basic information about the victim, focus on the right talking points to trick or manipulate the victim, and have a bit of luck and he’s in. For example, an attacker could call the victim and pose as their bank. The threat actor will then ask the target to confirm the SMS two-factor authentication code they receive or trick the victim into clicking on a spoofed website. Done! It’s so easy that Network Chuck managed to “hack” his wife and grandma with just a phone call.
  • Is extremely susceptible to SIM-swapping attacks. This one is another form of social engineering attack. Recent Princeton University research shares that five major mobile phone carriers have been put to the test for SIM swapping. The result? All five used easily hackable procedures. The consequences of such an attack can be disastrous. Don’t think it can happen to your organization? If you say so. Before you keep on reading, though, listen to Rob Ross’s first-hand experience in this mind-blowing short video — you may change your mind. Spoiler alert: he lost $1 million in a SIM-swapping attack.
A graphic that illustrates how SMS two factor authentication is useless in the event that your SIM card becomes compromised
Image caption: With social engineering, it’s easy for an attacker to swap SIM cards and access your organization’s website. And it doesn’t matter if it’s protected by SMS two-factor authentication.

Got the picture? That’s why more and more businesses like GitHub and Microsoft have suggested avoiding SMS as an authentication factor for a few years now. And that’s probably why, when the U.K. high street pharmacy Boots started encouraging customers to enable SMS two-factor authentication earlier this year, the suggestion didn’t go down well with its customers. While we appreciate the effort, man, that isn’t good enough anymore.

OK, the problem is clear. There’s no doubt that SMS two-factor is a bad idea. What can organizations do then? Are there any better solutions available out there? Let’s find it out.

What’s the Solution That Can Replace SMS Two Factor Authentication?

A recent survey by the Mobile Ecosystem Forum (MES) shows that 93% of the organizations interviewed worldwide are still using SMS two-factor authentication. But SMS messages aren’t the only factor supported in two-factor authentication; there are other methods as well, some are much more secure than text messages. Which ones? Here’s a quick summary:

Two-Factor Authentication TypeWhy You Should Use It
1. PKI-Based AuthenticationIt’s more secure than traditional SMS two-factor authentication, which helps keep your users safe from most attacks. It’s easy to use once you install your certificate onto your device. It’s passwordless therefore, users won’t have to remember (or type) complex, cumbersome passwords. Your users will be able to access everything they need from everywhere. It allows you to customize access policies. It can be used for multi-factor authentication in combination with other authentication factors.
2. Authentication AppsIt’s more secure than SMS two-factor authentication but slightly less secure than PKI-based authentication. It’s easy to use: The user will just type in the code received. The code expires very quickly. Some apps even allow you to include additional PIN and password protection. The codes can be used offline. Since June 2022, all iOS16 users can also set up third-party authentication apps.

1. PKI-Based Authentication

PKI based authentication uses digital certificate that are issued by a trusted entity (i.e., a certificate authority). Some PKI solutions install certificates directly onto your device while others use external hardware tokens.

I still remember the first time I was presented with this solution. At the time, the organization I was working for decided to implement PKI-based two-factor authentication combined with Fast Identity Online (FIDO) for all employees working with highly sensitive information. I was among them.

In the beginning, my first thought was “Oh no, not another piece of hardware to keep with me at all times. And it’s tiny! What if I lose it?” The answer? I’d be charged $100. As you can imagine, that didn’t go down well for the majority of us.

Anyway, as I didn’t really have a choice, I gave it a chance, tried it out, and quickly realized that it wasn’t as bad as I thought. I didn’t even need a smartphone and, above all, it seemed to be pretty darned secure. Why? Because it reduced the user’s involvement in the authentication process to the bare minimum.

The big difference between PKI and FIDO is that the former involves the use of a digital identity that’s verified by a trusted third party (i.e., a certificate authority of CA.) FIDO doesn’t. So, how does PKI-based two-factor authentication work? It’s based on public key cryptography (e.g., secure socket layer/transport layer security) and relies on:

  • A pair of encryption keys. A private key, stored on your device or an external hardware token (e.g., a USB), and a public key that’s shared with other parties. These will be generated once you’ll register with the online service.
  • A digital certificate that’s issued by a trusted certificate authority (CA). A client authentication certificate (sometimes called an end user certificate) enables you to prove your identity and establish encrypted and secure communication from start to finish. This certificate can be installed directly onto your device (which is the example we’ll use) or, in some cases, may be installed on a USB token.

Now, whenever you have to log in to an application protected by PKI-based two-factor authentication, you will:

  1. Establish a secure connection. Your client will confirm the identity of the server you’re connecting to by reviewing its certificate. It will use this information (along with other info) to establish a secure connection with the server.
  2. Authenticate yourself for the service. Since you already have your client authentication certificate installed onto your device, the client will automatically provide this information to the server for authentication.
  3. Digital identity verification. Once done, the service will verify the challenge response and if it matches, it’ll give the user access to the application.

Done! No need for text messages or having to enter any passwords.

Why Should You Use PKI?

  • It’s convenient because you can simply install the certificate onto your device and use it to authenticate automatically.
  • It’s more secure than SMS two-factor authentication and it’ll keep your users safe from most attacks (e.g., phishing and man-in-the-middle attacks).
  • The certificate-based method is passwordless, therefore, users won’t have to remember (or type) complex, cumbersome passwords.
  • Your users will be able to access everything they need from everywhere.
  • Access policies can be customized based on roles and responsibilities.
  • It can be used for multi-factor authentication in combination with other authentication factors (e.g., biometrics).

See why PKI-based authentication won me over and I didn’t go back to the traditional old SMS two-factor authentication method anymore?

2. Authentication Apps

There’s an alternative to PKI-based authentication that involves the use of your phone: push-message authenticator apps. There are many available on the market supporting different platforms, from Android to iOS and Windows, some of which are free. You just need to:

  • Select the authentication app you prefer and download it on your device.
  • Add your account to the app (e.g., Google account or Instagram account). The process may vary slightly but you’ll usually be required to scan a QR code or type a six-digit code into your app.

That’s it. Now you’re all set to start using your authentication app.

How does it work? Like SMS two-factor authentication, once you’ve entered your password on the website you want to log in to, you’ll be requested to type a little code. However, instead of being sent to you as a text message, the code will be automatically generated by an algorithm within the app itself. (This is called a push notification.) You won’t even need an internet connection because the code is generated within the app itself on your device, meaning that the message can’t be intercepted via an insecure network connection. Isn’t that great?

Do you want to see it in action? Check out this two-minute video about the Google authenticator app:

Why Should You Use It?

  • It’s very easy to use. The user will just have to type the code received.
  • The code expires very quickly. On average, an authentication app generates a new code every thirty seconds. I dare every attacker to get hold of that code in less than that time.
  • Some apps even allow you to have additional PIN and password protection making the whole thing even more secure.
  • The codes can be used offline. This means that if you’re on a plane, you’ll still be able to use it.
  • Since June 2022, all iOS16 users can set a third-party authentication app as their default two-factor authentication option.

So, are you ready to entrust the key to your users’ accounts to an authentication app? Make sure you opt for one made by a trusted vendor, don’t download the first app you find, and evaluate the features offered by each app.

  • Duo mobile. It keeps authorization codes hidden by default by requiring the user to tap on a specific token to view it.
  • Google Authenticator. It’s very user-friendly and allows users to copy the code by just tapping on it.
  • Microsoft Authenticator. It offers some extra features for signing into Microsoft accounts that could come in handy if your organization uses Microsoft 365 accounts.
  • Yandex.Key. It can be protected with a PIN or a fingerprint and allows you to create password-protected backups in the cloud, ready to be restored on any device.
  • FreeOTP. It’s open source and allows you to configure tokens manually exactly as you need them.

And these are just a few of the myriads of apps available. So, what two-factor authentication flavor is your organization going to go with?

Final Thoughts on SMS Two-Factor Authentication Security Considerations

Bottom line: SMS two-factor authentication is a bad idea and it can cause bigger problems than it solves. It could have been great at the beginning, and it’s still better than relying utterly on credentials, but only if you have no other alternatives.

Technology has evolved and the time has come for organizations to consider switching to something better and more secure: PKI-based authentication or push message-based authentication apps.

The choice is yours:

  • Do you want to guarantee your users the highest security possible and remove the need for a password? Then you should opt for PKI-based two-factor authentication combined with solutions like FIDO2 or WebAuthn.
  • Do you want to keep your users and organization secure but you prefer a simpler, nearly out-of-the-box solution? Authentication apps are probably going to be the best choice for you.

Beware! No matter which one you choose, there will always be some users that’ll see the new process as an annoyance at the beginning. Don’t give up! They’ll soon realize that a small inconvenience is better than risking ending up with an even bigger hassle. OK, some others won’t be able to make the change after all. But, what about you? Will you make the switch to PKI-based authentication or an authentication app?


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.