Contact salesSign inSign up

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Blog
/
Current article

SMS-Based Authentication: Why It’s No Longer Enough for Security - Authsignal

Last Updated:
October 16, 2024
Paul Bickley

Coinbase, one of the world's largest cryptocurrency exchanges, recently revealed that 95% of its account takeovers relied on SMS-based Multi-factor authentication (MFA) to secure their accounts. While offering SMS OTP as an authentication type is a step towards securing customer accounts, it is no longer enough to protect against the ever-evolving threat landscape.

The stats say about 95% of Coinbase’s customers are enrolleSMS-based authentication—the weakest 2FA method available. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.
Coinbase data 2023 - ATO by authentication type

About 95% of Coinbase’s customers utilize SMS-based authentication to secure their accounts—the weakest authentication method available on their platform. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.

SMS-based Multi-factor Authentication, also known as OTP SMS authentication, involves receiving a one-time code via text message to verify the identity of the user attempting to access an account. While this method is relatively easy to set up, there are now more secure authentication methods that offer a higher level of assurance to both technology providers and customers. Hackers can intercept SMS messages, SimSwapping can take place, and phishing attacks can convenience users to provide their one-time password codes to bad actors.

In fact, the use of SMS authentication is so vulnerable that the National Institute of Standards and Technology (NIST) removed it from its list of recommended authentication methods back in 2016. NIST cited the weakness of SMS-based authentication in its guidance on Digital Identity Guidelines, recommending that organizations move to more secure methods of authentication.

Stronger Authentication Types
So, what are the alternatives to SMS-based authentication? The most secure method is to use a physical security key, such as YubiKey, which plugs into a computer's USB port or connects via Bluetooth. Security keys generate a unique code each time they are used, making it nearly impossible for hackers to intercept the code or use it for unauthorized access.

Another option is to recommend TOTP authentication apps, such as Google Authenticator or Authy. These apps generate one-time codes that users enter to access their accounts. Authentication apps are more secure because the codes are generated locally on the user's device and not sent through a vulnerable network like SMS.

Lastly, push authentication is a mobile-centric authentication whereby the service provider sends the user a notification over the most secure available communication channel. The user responds to the challenge by performing an action to verify their identity and access the service.

💡Offering stronger alternatives to SMS is an excellent opportunity to improve both your security posture and enhance your customer experience with new technology.

The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure. As threats continue to evolve, it is imperative that users adopt more secure authentication methods, such as physical security keys or authentication apps, to safeguard their online accounts. As a platform provider, it is your responsibility to take proactive measures to educate your customers and help them to protect their digital assets and personal information.

Try out our passkey demo
Passkey Demo
Subscribe to our monthly newsletter
Subscribe
You might also like
Add MFA to Keycloak using Authsignal: A Step-by-Step Guide
Authsignal offers an easy-to-integrate solution that simplifies the process of adding MFA to Keycloak.
Authsignal in partnership with MATTR claims authentication world first, binding Mobile Driver’s License (mDL) to Palm Biometrics
Authsignal has launched a world-first solution that binds a mobile driver's license (mDL) with Palm Biometrics.
Biometrics Passkey-Binding: Ensure Digital Credential Ownership and Real Human Presence
Learn about biometric passkey-binding pairs facial recognition with cryptographic passkeys for secure, seamless authentication, protecting against phishing, deepfakes, and fraud while improving user experience.
Secure your customers’ accounts today with Authsignal.