We’ve covered the need to implement 2FA as a security feature before and the need to have it in place in light of the new EU regulations is rather evident. One of the aspects of it is the balance between having a user-friendly and a secure solution. So, here’s where we throw the good old SMS into the ring as one of the options to consider.
When and where you need user authentication
By now we’ve all probably experienced user authentication in some shape or form. Be it in downloading a popular OTT app such as Viber or Whatsapp, doing banking transactions online or even voting if you live here in Estonia.
Many of the applications would require more than a single password, and two-factor authentication would involve using different factors simultaneously:
- something the user already knows (for example, a chosen password);
- something the user has (for example, a mobile phone);
- something the user gets (for example, a PIN code sent in an SMS message).
Combination of these significantly increases security and SMS is an easy, reliable and straightforward way to deliver your authentication notifications as a second layer. So, we’d have our passwords combined with the pin codes sent to our mobile phones.
How it works
In a simplified scenario, the user enters the mobile phone number into the application’s form, receives an authentication PIN code via an SMS message and types it into the application’s form to confirm their identity. For added security Flash SMS can be used. It means that the security code is not stored on the recipient’s handset, adding another piece of security via mitigated storage.
Some of the key factors making SMS a great 2FA tool
It’s fast. SMS notification is received at your handset in seconds, and it won’t get in the way or slow you down. With the “within seconds” delivery, you can be assured that users won’t retry immediately and that mitigates the costs of 2FA delivery (as retrys cost money).
It’s easy. Users are well familiar with SMS notifications, thus authenticating is straightforward and distinct. The open rate is 98%, so the habit of checking the notifications as well as having them enabled is there.
It’s secure. SMS notification is generated and sent via other – non-email nor web – channel and application can compare the originally generated password with the submitted one. There are some security concerns, of course, however many of these are somewhat overblown in the press (e.g. SIM-swap, SMS interceptions). If using SMS as an OOB (Out-of-Band) channel for 2FA, consider adding an additional knowledge factor to further secure the account or payment. That will provide additional security against certain SIM-swap or SMS-interception scenarios, should they occur.
So, there you are, it’s a simple and secure way to add more in the way of security to your users as well as improve the security compliance of the company in question.