In 2017, the National Institute of Standards and Technology of the US Department of Commerce said SMS for 2FA was a deprecated solution. Unfortunately, in 2021, not much has changed.

Today, SMS OTP is still the most widely used method of two-factor authentication, used by about one-third of mobile users. Yet, fraudsters manage to circumvent it every day.

While the tech community, ourselves included, recognizes the fact that having SMS OTP two-factor authentication is better than relying on your email and password only, it’s clear that this type of 2FA may very well be left in the past.

In addition to the security risks, the user experience of SMS OTP 2FA  itself isn’t up to par with today’s standards either. You have to type in your phone number, request an SMS, wait for it to arrive before you finally put the code in – and that’s if the code ever arrives.

So, is this the year of ditching SMS OTP as 2FA?

It should be, but only if it’s in favor of better mobile security solutions.

Let’s first talk about why this is the time to ditch SMS OTP for 2FA before discussing better alternatives for secure and seamless mobile authentication.

Why it is time to ditch SMS OTA as 2FA

As I’ve stated above, SMS OTP as 2FA comes with multiple shortfalls for all parties involved. Let me list out some of the biggest issues of SMS OTP for 2FA.

SS7 technical flaw security risks

For as long as I’ve worked in this industry, the SS7 vulnerability was a source of concern, and that hasn’t changed since 1975 when it was originally introduced.

Mobile networks carry within SS7 technical flaws that can be used to intercept or reroute an SMS message that contains your one-time password. Scary, right?

It’s precisely why so many different actors including the aforementioned NIST have called SMS OTP for 2FA an outdated mobile authentication solution.

SIM swapping security risks

Have you read my article about the practice of SIM Swapping? It’s a major concern.

SIM swapping is when a fraudster gathers enough of your private data to trick your mobile provider into issuing them a new SIM card with your number, meaning that they will now receive every 2FA code and easily gain access to your accounts.

While this may sound tough to pull off, the fraudsters only really need some personal identifiers like your first and last name, social security number, DoB, or your ID.

Do you remember the infamous Twitter hack? This is actually how Jack Dorsey’s Twitter account was hacked.

Friction in user experience

User experience has become one of the determining factors when it comes to user adoption in any industry globally. Did you know that 70 percent of users prefer an authentication option for its ease of use?

Now take a look at SMS OTP 2FA. Would you say the user experience is smooth? My guess is not really.

As such, it’s clear to see why 64 percent of individual users don’t use 2FA for account protection. And why should they, when there are many user-friendly authentication options out there?

SMS OTP 2FA is not cost-effective

I can’t say it about you, but not receiving an SMS OTP when I want to sign up for a service is one of the most discouraging experiences that you can have as a user.

Last year, we partnered with CarGo who used to experience 12 percent unsuccessful SMS OTP deliveries. This bad onboarding experience can result in an up to 40% sign-up drop-off that negatively affects your bottom line.

Take that, then add to it the fact that companies are usually charged for every SMS OTP sent, even if it isn’t delivered, and you’ll understand how SMS OTP 2FA isn’t cost-effective.

Tech giants are moving away from SMS OTP 2FA

Finally, tech giants such as Google, Microsoft, and Apple have started to move away from SMS OTP for 2FA.

Google and Microsoft have released their authenticator apps while Apple has even gone so far as to propose a way to standardize SMS OTPs in order to improve security by preventing phishing attacks. 

The big tech is leaving SMS OTP 2FA behind, and so should we. Where do we go from here?

SMS OTP 2FA alternatives

Let’s have a look at better alternatives to SMS OTP 2FA.

Authenticator App 2FA, higher security at the cost of user experience

Do you use authenticator apps? I personally do, whenever it is available because it is more secure than SMS OTP two-factor authentication.

However, it has to be noted that the user experience deteriorates even further when compared to SMS OTP 2FA.

To authenticate using this app, the user now has to completely exit the app they’re trying to use, open their authenticator app, generate a code, and then go back to the original app to put it in.

That’s why the use of this type of 2FA remains popular in the companies where employees are required to use them, but not in the individual user sector.

Biometrics, great user experience with privacy concerns

Biometric authentication is at its strongest when it comes to user experience. You use it on your phone, I use it on my phone, it authenticates our accounts within seconds, and it rarely ever fails.

However, concerns arise pertaining to data privacy, and with good reason. If a fraudster pwns your password, you can change it. But if your biometric data falls into the hands of a cybercriminal, you can’t exactly change your fingerprint or facial features.

But surely it isn’t that easy to hack? This will depend on the manufacturer of your device. This mobile authentication method hasn’t yet been truly standardized which is why we’ve seen hackings of various biometric options on different devices.

Be that as it may, biometrics is a huge step-up from SMS OTP 2FA, especially if some wider standardization of biometric authentication was to be implemented.

Mobile IP address-based authentication options, the trifecta of security, user experience and data privacy

IP address-based mobile authentication solutions have the potential to unite all three of these important factors into one solution through partnering with those who have the most power in the mobile identity space, mobile network operators.

Depending on the solution, MNOs will usually install an additional part on their existing infrastructure to enable app developers to integrate the authentication solutions. For IPification, MNOs install our proprietary GMiD box in their private network. And it can generate a unique mobile ID key for each user from mobile phone number and other variables for authentication purposes.

Best of all, these types of solutions are incredibly fast and users are authenticated within milliseconds. While the rest of the user experience will depend on the specific solution – some only require one click and some a few more – the potential here is huge.

Conclusion

In today’s day and age, SMS OTP 2FA brings more liability than it provides value. On the one hand, the security risks grow bigger every day. On the other, the low adoption rates only prove that users find the user experience sub-par.

Since better alternatives exist, companies should really start looking into them: whether individually, or as part of a larger multi-factor authentication system.


Harry Cheung is the Founder and President of IPification. Harry is a serial entrepreneur with more than 20 years of experience in cybersecurity and data protection. Before establishing Benefit Vantage Limited in 2014 and IPification in 2017, he established and grew Kaspersky Lab’s presence in the Asia Pacific region and served as an HQ company’s Board of Directors member. Harry likes fishing and sailing, and he writes articles on cybersecurity and mobile identity topics in his free time.

IPification is a Life’s A Pitch alumnus.

TechNode Global publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.

What can insurers do about rising digital connectivity exposures?

Featured image credits: Unsplash