July 28, 2016

Accounts At Risk! SMS Based Two Factor Authentication Came To An End – It’s Insecure!

The Two-factor Authentication is generally seen as the safest play for securing your Google accounts, which requires you (the user) to enter a code that you received via SMS on your phone before you can log in a 2FA-protected account. This prevents anyone from gaining unauthorized access to your account, even if they manage to get hold of your password. And this double-layered authentication process is supported by numerous online services, including big banks, Google, Facebook, and even the government.
two factor authentication
This was introduced just to ensure that hackers would need both their passwords and mobile phone in order to hack the accounts. It has become a standard practice these days because of its added benefits. But from now it won’t be available for users.

SMS Based Two-factor Authentication Is Dead:

This additional layer of protection has been declared and very soon it’s going to become a thing of past.  US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns.

According to this draft,

“If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

two factor authentication

How SMS Based Two Factor Authentication Is Insecure?

  • NIST(National Institue Of Standards And Technology) states SMS-based two-factor authentication as an insecure process because of following reasons:
  • The website operator has no way to verify whether the person who receives the 2FA code is the correct recipient or not. So, your account falls under the risk when anyone steals your mobile.
  • There is a lot scope for hijacking if the individual uses a voice-over-internet-protocol (VoIP) service as it provides phone call service via a broadband internet connection instead of a traditional network.
  • With the help of VOIP service, hackers could still gain access to your accounts protected with SMS-based two-factor authentication.
  • Some devices display the 2FA code even on the lock screen.
  • Hackers can receive your OTP by diverting the SMS containing the code to their own device. Also, they can reset your Facebook or Gmail accounts by receiving reset code. This is because of the designing flaws in SS7 (Signalling System Number 7).

BIOMETRIC Is Going To Replace 2FA:

NIST suggests using Biometrics (Fingerprint scanner) as it is more secure than 2FA. In respect to this,  DAG draft reads,

Therefore, the use of biometrics for authentication is supported, with the following requirements and guidelines: Biometrics SHALL be used with another authentication factor (something you know or something you have).


Keeping Biometric aside, many tech companies like Facebook and Google offer in-app code generator as an alternative solution for 2FA as this app code generator doesn’t rely on SMS or Network carrier.


Recently, Google has also made its two-factor authentication a lot easier and faster by introducing a new method called Google Prompt. It uses a simple push notification where you need to approve login requests by a single tap. These all reasons collectively counter for the end of SMS-based two-factor authentication. So, users should be more careful with their accounts.

Must read: How Hackers Manage To Bypass Google’s Two-Factor Authentication

About the author 

Imran Uddin

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}