top of page

Don't Use SMS Text Messages for Two Factor Authentication


Mobile phone two factor authentication (2FA) - where a mobile phone takes the place of a token and becomes the first factor - something a user has - (the second factor being something a user memorizes - a PIN or password) has serious drawbacks. Often a passcode of 4-6 digits will be sent to a smart phone via a SMS text message. Nearly everyone has likely had at least a few experiences with such authentication. While codes sent via SMS messages will expire after a short fixed time period, SMS messages can also be intercepted. The National Institute of Standards and Technology (NIST) Special Publication 800-63B on Digital Identity Guidelines highlights one potential vulnerability of sending passcodes via text messages:

"If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric to view). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device. "

The NIST guide further recommends that the SMS messages be sent to pre-registered telephone numbers associated with a specific device and mentions that number porting from one mobile carrier to another poses a potential security threat.

Smart phones also usually provide access to email accounts which are always logged in. If 2FA is applied to those accounts, SMS verification allows a cell phone thief to bypass the authentication process. The SIM cards in phones can also be cloned.


Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page