Skip to main content

Lee Suker, director of Market Development at XConnect makes the case for SMS ‘One Time Passwords’ (OTPs) as part of a set of security controls, but urges caution when choosing providers.

If you have been tuning into the Mobile Ecosystem Forum (MEF) Privacy and Identity Working Group, you would have heard all about the ‘UserID & Password’ being broken. This isn’t quite the case, but what the headline points out is that the over reliance on a single knowledge factor presents a significant security risk.

Multi Factor Authentication will soon be the normality for online lives:

  But…not all providers of SMS are the same.  Choosing suppliers poorly may leave end users and your business with little more than just a sense of security, or it could result in end-users failing to adopt 2FA due to poor user experiences.

  • Something you know
  • Something you have
  • Something you are
  • Something you did
  • Somewhere you are

These are familiar security themes which elevate authentication assurance. Yet some of these questions are difficult, sensitive or risky to answer.

Two Factor Authentication (something you know, something you have) using SMS One-Time-Passcodes has become the go-to solution to improve security.  It has been successful for good reason – it’s simple to use and the public is fully trained in how to use it, enterprises that deploy it observe a significant reduction in account takeovers and fraud, and it’s readily available from SMS service providers.

But…not all providers of SMS are the same.  Choosing suppliers poorly may leave end users and your business with little more than just a sense of security, or it could result in end-users failing to adopt 2FA due to poor user experiences.

So, what are the things to look for when choosing a provider?

  • Are they a member of the MEF code of conduct? The global code sets out best practice for those operating within the Application to Person (A2P) SMS sector and is based on 10 principles – offering detailed guidance on commercial, procedural and technical requirements, as well as an emphasis on consumer protection.
  • Suppliers that minimise the number of message intermediaries – It goes without saying that the less people in the chain the smoother the delivery process. If your messages aren’t being delivered through approved routes (for instance, are your suppliers checking Mobile Number Portability to ensure delivery?) this will lead to undefined message delivery delay or message blocking.
  • Suppliers that offer SLAs so that you can be confident in timely delivery – your customers don’t want to be waiting around for their 2FA codes, they need them as soon as they request them. If your suppliers aren’t guaranteeing a timely delivery, this will impact on customer satisfaction and they could go elsewhere, or decide to not bother with security.
  • Are their prices too good to be true? Low prices are probably an indicator of providers using SIM farms or other grey routes – the set ups are inferior so your OTPs won’t go out quickly and they violate network fair usage agreements so they’re likely to get blocked.

Another consideration is not to over use SMS 2FA.  It is not always necessary and it will become cumbersome for your subscribers and costly for you.  Too much SMS 2FA could result in choosing a supplier on cost and defeating your original security objectives.  So, consider SMS 2FA as a proof of possession at the time of asking, which should then enable you to trust some other possession factor that persists over time e.g. the same laptop or mobile device logging in.

SMS OTP isn’t the answer for every transaction…

SMS OTP has been unfairly derided in the press because it has been relied upon to secure very high value accounts like bitcoin wallets, bank accounts and VIP social media account.  For high value transactions it’s worth hackers going to the effort of conducting simswap fraud or other social engineering techniques to takeover a user’s mobile number and intercept these transactions – whereas this sort of hack doesn’t scale up to support a broad attack.

These threats are being mitigated, as MNOs are improving their procedures.  At a recent briefing from the GSMA it was interesting to hear from Europol that criminals are shifting focus away from simswap attacks, because it’s getting too hard, and focusing efforts on phishing victims direct and asking for OTP codes over the phone.

What is clear from this is that securing any relationship with high-net-worths, VIPs, high value transactions or sensitive data requires more than just 2FA using a one-time-code.  Other great methods are available to protect subscribers in these use-cases.

…But it’s a good place to start

However, for the day to day, SMS 2FA is still a valuable tool in your armoury to secure your customer’s details and engender trust with them. Just ensure that you select a provider that will ensure fast and secure delivery of those OTPs to your customer base.

Lee Suker

Director, Market Development