SMS 2FA is a declining method of two-factor authentication (2FA) that relies on the delivery of a one-time password (OTP) or other secret as an additional mode, delivered via a text message.
With SMS 2FA, a user logs into their account by entering their username and password, however they are additionally required to enter an OTP or other secret delivered via SMS (short message service, or a text message). Here, a third data field on the original login page or a new webpage would appear, and once the user entered the information, they would be logged in.
SMS 2FA was a once-highly regarded innovation since it made obsolete the need for a user to carry and manage a third device, since smartphones are commonplace. Today SMS is sundowning due to its vulnerabilities. For one, early on experts discovered a vulnerability in the SS7 communication protocol which enables texting between two different cellular carriers. SMS 2FA also relies on password authentication, which provides a remarkably weak foundation for any security system.
The SS7 vulnerability makes the conversation occurring between the SMS 2FA service provider and the user open to a man-in-the-middle (MITM) attack. Confidence in SMS 2FA all but ended in mid-2016 once the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, deprecated it citing the SS7 vulnerability. Despite one of the US’s (and world’s) most influential standards bodies downrating SMS 2FA, it persists in legacy due to its relative convenience among hard-to-consume security options. PUSH authentication as a second factor or as part of a multi-factor authentication (MFA) approach are thought to have replaced SMS 2FA yet even it is showing signs of vulnerability with PUSH attacks on the rise.
SMS 2FA is also subject to phone cloning, and some have even argued that SMS 2FA has suffered from "mission creep", that is actually a single factor, with it being a complete substitute for "I forgot my password" with no need for a password reset.
SMS 2FA, aside from the SS7 exploit, and indeed PUSH authentication are only as secure as the underlying security system. For that reason today’s security solutions are architected with a lower (or no) reliance on passwords, as the failings of these shared secrets remain the #1 cause of data breaches.
“We’re moving to the use of authenticator apps for 2FA in our small business. SMS 2FA is insecure since the authorities have noted that text messages are subject to interception or redirection, leaving us wide open to a man-in-the-middle attack.”