why sms (TXT) is not a reliable 2nd authentication factor

Many organizations are still sending SMS as secondary means to validate users. However, this is not the safety act

why sms (TXT) is not a reliable 2nd authentication factor
Photo by Tim Douglas from Pexels

I am sure most readers are aware of the cybersecurity risk. The popularity in Internet services, social media and home banking has given risk to rapid increased in crimes associated with stolen identities or log in credentials.

A lot of financial institutions are sending a SMS or TXT message to user as a means of authentication. The process is almost painless to the users as there is no app to install, no update to worry about.

However, if there is other option available to the users to authenticate themselves from banks or other services from the web site, I would suggest the user to choose in the following order of security

  1. Hardware security key like a Yubikey. This is a physical key that needs to be plugged into the computer or phone. It is the most secured form of protection.
  2. Biometric device such as fingerprint or face scanner
  3. An authentication app like Authy or Saaspass

So why is TXT not my first choice as a 2nd factor authentication. It is because that it is not secured. By default, TXT message are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or changed by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

In addition, mobile phones that are compromised (eg. Jailbroken, malware infected) can result in TXT messages being read. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to TXT on mobile phones specifically to intercept these one time passwords

Some organisations may not offer option other than using TXT. One example is Kickstarter. In these cases, the users have to understand the risk and be vigilant about safeguarding the phone against malware.

Photo by ThisIsEngineering from Pexels

It is always advisable to have very strong passwords to start with. Using TXT as the second factor authentication means is far better than not have the second level of defence. Also they need to strike the right balance between convenience and security. There is no straightforward answer that suits everyone.