Journalists and InfoSec practitioners have cautioned for years against using short message service (SMS) text messaging for multi-factor authentication (MFA). They're not without reason -- SMS authentication has well-documented shortcomings -- but it is important to note that for many organizations, it is the only practical way to encourage MFA use among a large user base. And SMS MFA is certainly far better than no MFA at all.

For context, MFA adoption is notoriously low. For example,less than 10 percent of Gmail users enable two-factor authentication. Most organizations understand that they should implement MFA wherever possible, but it can become a logistical nightmare. If you force MFA on your customer base, it makes registration difficult and can reduce adoption. You could also force MFA on your employees, but that can also lead to difficulties because it requires the user to set it up on their phone or email, and some won't be able to do so without IT assistance.

MFA is by design more complex than a simple username-password login. However, SMS-based MFA can help reduce complexity since most people are familiar with text messaging and it doesn't require the user to download and set up an additional app. But it does come with some security tradeoffs. This blog post will outline the various pros and cons of SMS-based MFA.

The problem with SMS authentication

A great example of the problems with SMS-based authentication is the August 2018 breach at Reddit. An attacker managed to compromise a few Reddit employee accounts with the company's cloud and source code hosting services even though those employees had SMS MFA setup. While Reddit didn't disclose the exact nature of the attack --- it did say the employees' phones were not compromised --- there are a few well-known methods to attack SMS.

The first is a subscriber identity module (SIM) swap scam. Telephone carriers can swap a phone's service to a new SIM card if a customer loses or damages their phone. In this attack, the perpetrator uses social engineering to convince the target's telephone carrier to switch service to a new SIM card that the attacker controls. Once this happens, all phone calls and text messaging --- including SMS MFA codes --- will be sent to the attacker's SIM card.

Another similar attack involves an attacker impersonating the customer and requesting service be transferred to another carrier. The attacker then sets up service with the new carrier. The end goal is the same as the SIM swap scam --- mobile phone service is transferred to the attacker-controlled phone, which can then receive SMS MFA codes.

There are several other types of SMS intercept attacks, such as targeting the global telephony protocol Signaling System 7, and they may vary somewhat based on geography and what cell phone carriers are being targeted. However, the majority of these attacks require the perpetrator to devote a significant amount of time or resources, which means it is only cost-effective for high-value targets. In other words, it might be worth it for a criminal to target an administrator, who has access to highly valuable materials, but it probably isn't worth it to target a regular user with limited access to valuable data.

Why SMS MFA is still good

It's easy.

Place yourself in the shoes of someone who isn't tech savvy but still wants to use your application or work for your company. With app-based MFA, users have to download an app and scan a barcode or enter a code. That may sound easy, but users sometime do wonky things like not allowing the app access to the phone's camera, preventing them from scanning the barcode. This can lead to customer churn or an increase in support tickets.

However, nearly all users understand how to use text messaging, making setting up SMS-based MFA far simpler. While it isn't as secure as app- or token-based MFA, it is much more secure than a single-factor username-password login. It is a great tool for encouraging MFA adoption.

That said, a strong security strategy should take into account your high-value users and assets and enforce more stringent access control policies on them. In other words, it is fine for a normal user account with limited access to use SMS MFA, but maybe your administrators and other high-value employees should use a stronger factor, such as a hardware-based MFA device like Yubikey.

In short

Well-known cybersecurity expert and practitioner Kevin Beaumont, said it best:

Compared to just requiring a username and password, [SMS MFA] is a significant leap in security posture.

It isn't perfect.

It shouldn't protect all the world's IT systems and every user.

It might well help protect your organization.

SMS MFA has its flaws, but it is still a great tool for organizations that want to offer a quick and easy way to set up MFA. However, a strong security strategy should identify high-value users who have a lot of access and required them to use more stringent authentication, such as app-based or hardware-based MFA.

Auth0 can enable a variety of types of multifactor authentication, including SMS- and app-based authentication. Learn more here.