SMS-Based Authentication: Why It’s No Longer Enough for Security - Authsignal

Coinbase, one of the world's largest cryptocurrency exchanges, recently revealed that 95% of its account takeovers relied on SMS-based Multi-factor authentication (MFA) to secure their accounts. While offering SMS OTP as an authentication type is a step towards securing customer accounts, it is no longer enough to protect against the ever-evolving threat landscape.

About 95% of Coinbase’s customers utilize SMS-based authentication to secure their accounts—the weakest authentication method available on their platform. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.

SMS-based Multi-factor Authentication, also known as SMS OTP, involves receiving a one-time code via text message to verify the identity of the user attempting to access an account. While this method is relatively easy to set up, there are now more secure authentication methods that offer a higher level of assurance to both technology providers and customers.

Hackers can intercept SMS messages, SimSwapping can take place, and phishing attacks can convenience users to provide their one-time password codes to bad actors.

In fact, the use of SMS authentication is so vulnerable that the National Institute of Standards and Technology (NIST) removed it from its list of recommended authentication methods back in 2016. NIST cited the weakness of SMS-based authentication in its guidance on Digital Identity Guidelines, recommending that organizations move to more secure methods of authentication.

Stronger Authentication Types

So, what are the alternatives to SMS-based authentication? The most secure method is to use passkeys, a modern, phishing-resistant authentication method that leverages public-key cryptography. Passkeys eliminate the need for passwords and SMS OTPs by allowing users to authenticate using biometrics (such as Face ID or fingerprint scanning).

Stored securely on a user's device and synced across trusted ecosystems like iCloud Keychain or Google Password Manager, passkeys offer a seamless and highly secure login experience. Unlike SMS authentication, passkeys cannot be intercepted, phished, or compromised via SIM-swapping attacks, making them a superior choice for protecting accounts from takeover attempts.

Another option is to recommend TOTP authentication apps, such as Google Authenticator or Authy. These apps generate one-time codes that users enter to access their accounts. Authentication apps are more secure because the codes are generated locally on the user's device and not sent through a vulnerable network like SMS.

Push authentication is a mobile-centric authentication whereby the service provider sends the user a notification over the most secure available communication channel. The user responds to the challenge by performing an action to verify their identity and access the service.

💡Offering stronger alternatives to SMS is an excellent opportunity to improve both your security posture and enhance your customer experience with new technology.

The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure.

As threats continue to evolve, it is imperative that users adopt more secure authentication methods, such as physical security keys or authentication apps, to safeguard their online accounts. As a platform provider, it is your responsibility to take proactive measures to educate your customers and help them to protect their digital assets and personal information.