5 Reasons SMS Authentication is still SO common despite being so insecure

Posted by Phil Cuff on Mar 31, 2019 3:45:00 PM
Phil Cuff

What’s going on with SMS Authentication? How come it’s still a thing!? In fact, SMS is still the most commonly used form of Multi-Factor Authentication (MFA) on the planet.

If you doubt this, think globally. Don’t be limited by your own experience, even though I bet you still receive more OTPs (One-Time Passwords) by SMS than you care to think of, no matter how many smartphone apps and google auth accounts you have!

And if that doesn’t sway you, check out TwoFactorAuth.org and the number of national and multi-national companies that depend on SMS to authenticate their customers. And while you’re there, check out the number of companies that still don’t use MFA at all!

And yet…. it takes 2 seconds to google dozens of articles about how insecure it is.

And how many major hacks have been attributed to insecure SMS Authentication.


Metro Bank Fraud Attack-1

Rather than repeating all those articles here, suffice it to say the SMS channel itself was never designed or intended to be secure. And it isn’t. So, in briefest terms possible, the problem is that the intended ‘secret’, the OTP, that the user has to enter to authenticate himself/herself is sent to the user by an insecure channel and can be intercepted and re-used by a fraudster.

On top of that, SMS Authentication is not cheap either. Let alone free. There are telco and OTP server charges to pay.


So here are 5 reasons SMS Authentication is still so popular. And then of course, if you want to use, or keep using, SMS authentication, how can it be used much more securely?

1) Extreme simplicity, convenience and reliability

All you need to authenticate via SMS is a mobile phone.

Don’t know about you, but these days if I leave my wallet or my phone behind I notice the phone’s missing almost instantly. We’re virtually glued to them now.

And the days of SMS message receipt being hit or miss are gone. Guaranteed delivery services ensure you get the OTP sent by SMS within 2 or 3 seconds pretty much anywhere in the world. So it’s ideal for travellers, whether you’ve signed up for a data plan in the country you’ve travelled to or not.

2) Instant and frictionless new user registration and perfect for infrequent users

This point is key. Once you’ve accepted to use SMS Authentication there is literally no registration process. No app to download. Nothing to remember (or forget). Just your phone.

So SMS is ideally suited to infrequent users. For example, annual interaction with your tax office(!) or hopefully infrequent access to medical expense claims etc.

3) Same solution for multiple services

I now have literally dozens of authentication apps and accounts. SMS Authentication works exactly the same for 1 service as it does for 100 making it super-convenient and practical for users.

4) Works on every mobile phone

There’s no app or anything else to install on your phone so SMS works on all mobile phones, smart or not. So, it’s perfect for countries with high usage of cheaper non-smart phones.

5) Service providers obtain each user’s mobile number!

This last point is controversial given the trouble Facebook has recently got itself into (again!) with its use of the mobile numbers collected from users of its MFA service. However, whether we approve or not, this certainly highlights one of the most important, non-security related, reasons that SMS Authentication is still so commonly used. Companies who might not otherwise be able to obtain users’ mobile numbers have been collecting them by the tens of millions.

So…. how can SMS be used to authenticate your customers much more securely?
This is the subject of my next post but, in short, the answer is ‘Zero Knowledge Password Proof’ (ZKPP).

Want to know more or receive an alert for my next post? Please subscribe.



Topics: SMS, One-Time Password, OTP



Subscribe to the Blog