Don't Use SMS Text Messages for Two Factor Authentication

Mobile phone two factor authentication (2FA) - where a mobile phone takes the place of a token and becomes the first factor - something a user has - (the second factor being something a user memorizes - a PIN or password) has serious drawbacks. Often a passcode of 4-6 digits will be sent to a smart phone via a SMS text message. Nearly everyone has likely had at least a few experiences with such authentication. While codes sent via SMS messages will expire after a short fixed time period, SMS messages can also be intercepted. The National Institute of Standards and Technology (NIST) Special Publication 800-63B on Digital Identity Guidelines highlights one potential vulnerability of sending passcodes via text messages:

"If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric to view). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device. "

The NIST guide further recommends that the SMS messages be sent to pre-registered telephone numbers associated with a specific device and mentions that number porting from one mobile carrier to another poses a potential security threat.

Smart phones also usually provide access to email accounts which are always logged in. If 2FA is applied to those accounts, SMS verification allows a cell phone thief to bypass the authentication process. The SIM cards in phones can also be cloned.