Sign In

Communications of the ACM

ACM News

The Problem with SMS Two-Factor Authentication

View as: Print Mobile App Share:
Not everyone understands the potential vulnerabilities inherent in SMS two-factor authentication.

Using SMS two-factor authentication is better than no online security at all, but it has its vulnerabilities, too.


Many use SMS (short message service) two-factor authentication (2FA) on their smartphones to secure online accounts, but not everyone understands its potential vulnerabilities.

You've probably seen SMS 2FA in action. An online account, upon login, prompts you to receive a second code on your phone via text message. You receive the second code, then enter it to confirm that you are, in fact, the legitimate user of the account.

It's a system designed to keep hackers who guess your passwords from accessing your accounts and stealing your payment information.

After all, hackers and identity thieves can guess your account passwords, but they can't receive the verification code sent to your phone when you log into one of your accounts, right?

If only that were the case. In reality, SMS 2FA can be hacked, too.

In late 2018, Amnesty International reported hackers were able to hijack 2FA codes (some of which came via SMS) and compromise online accounts. In the accounts identified, malicious actors recreated the websites of legitimate services like the Tutanota email service and Yahoo to convince users to reveal their 2FA authentication codes.

SIM swapping is a major route taken by hackers to gain access to sensitive accounts through SMS 2FA—and it has resulted in hundreds of millions of dollars (conservatively) in cryptocurrency theft alone. SIM swapping is when a hacker goes into a phone store pretending to be you; the hacker convinces a staff member to port your SIM card information to a new phone, which they own.

The cryptocurrency site CoinJournal observes that porting SIM card information to a new phone "should only be done if the SIM card is lost, stolen, damaged or the user changes to a phone that uses a different-sized SIM card." Yet clever hackers sometimes can convince phone store staff to make the switch for them. "Then, all of the personal information of the original owner and all the 2FA accounts linked to it are compromised," says the site.

Hackers then convince the original owner to fork over login details, using the swapped SIM to intercept the SMS 2FA code sent after logging in. Otherwise, the hackers will attempt to reset account passwords, using the swapped SIM to intercept the code sent to confirm they are the legitimate account owner.

This is exactly what happened to entrepreneur and investor Michael Terpin, who was the victim of SIM swapping schemes that resulting in him losing almost $24 million in cryptocurrency. (He's now suing AT&T for $223.8 million for failing to take appropriate security measures.)

In July 2018, a suspect was arrested for SIM swapping for the first time, according to crypto/blockchain media outlet CoinTelegraph. The perpetrator allegedly stole $5 million in cryptocurrency using the technique.

App development and hosting site Crowd Machine fell victim to the technique, too, losing $14 million in crypto as a result of a SIM swapping attack, according to Oklahoma's News 4.

In addition to hundreds of millions of dollars in cryptocurrency theft, SMS 2FA flaws have caused the U.K.'s Metro Bank to be compromised, according to reporting by Motherboard.

SMS 2FA has vulnerabilities, but these are not necessarily flaws in how it is designed, says Kaspersky Lab security researcher Vladimir Dashchenko. "In general, 2FA itself is a secure concept. Yet, the ways it is implemented may differ and could have vulnerabilities," he says.

"Codes sent over the Internet almost always have at least some risk of being stolen," says Mark Risher, Google's director of product management for counter-abuse and identity services. "Any form of 2FA improves user security over a password alone; however, not all 2FA provides equal protection. Sophisticated attacks can work around some methods of 2FA."

Risher cites SMS-based phishing attacks as one such method. "Despite this, adding a phone number for two-step verification is still recommended if you can't use any other options," he notes.

The good news is: there are other options.

One is Google's own Titan Security Key. This physical key was developed using FIDO, an open source security standard. When you log into Google services, the SMS 2FA code is sent to the security key instead of your phone; the physical security key is then inserted into your device to complete the verification process.

"Because the encrypted code is contained in a physical object the user has in their possession, rather than relying on code over the Internet, FIDO security keys thoroughly protect against traditional password phishing attacks," says Risher.

He says the firmware used in the security keys has been "sealed permanently into a secure element hardware chip at production time and is designed to resist physical attacks aimed at extracting firmware and secret key material."

Another potential solution to the problem is provided by Kaspersky, which offers a fraud prevention platform that leverages machine learning and "continuous analysis of hundreds of parameters in real time" to assess if a user is legitimate. If a user is assessed as legitimate by the system, says Dashchenko, no additional verification steps are required. However, additional verification may be needed if the user's legitimacy cannot be verified.

"During the whole session, [the system] is analyzing the behavioral and biometric data, device reputation, and other non-personalized information to detect any signs of abnormal or suspicious behavior," Dashchenko says.

That is certainly an improvement over relying on SMS 2FA alone.

Logan Kugler is a freelance technology writer based in Tampa, FL. He has written for over 60 major publications.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account