The Security Downside of SMS-based Multi Factor Authentication


The Security Downside of SMS-based Multi Factor Authentication- MFA is a security mechanism that requires users to provide at least two types of correct authentication alongside valid credentials.

MFA is not always secure

Before allowing access to a system, multifactor authentication (MFA) is regarded to be an effective method of identifying valid users. MFA is a security feature that requires users to give two types of proper authentication in addition to valid credentials.

This implies that the user must supply a valid username and password. The user must then give additional proof, such as a verification number or a physical object that can only be possessed by a legitimate user.

Some types of MFA are prone to security threats and may fail to achieve the goal of restricting access to only authorised users. Using text texts for MFA verification is one example.


SMS is one of the most widely utilised methods for user authentication in MFA. Google and Microsoft, for example, frequently send verification codes to phone numbers associated with several accounts. A user is allowed access after submitting the right code.

However, many people may be ignorant of the serious security risks associated with SMS-based MFA. For example, Voxox, a leading communications corporation based in San Diego, failed to password-protect a database containing over ten million messages. The database was exposed, allowing anyone with two-factor verification codes for Google, Microsoft, and Huawei IDs[1] to view real-time messages. Consider the possibility of a bad individual gaining access to such a database.

SIM Swap Attacks

Also, because to the ease with which a SIM Swap attack may be carried out, an SMS-based MFA is unsafe. A SIM Swap attack does not necessitate any experience; anyone with the appropriate information may carry it out with ease. In the United States, a targeted SIM holder’s social security number can be used to request a SIM swap with just one phone call to the carrier. An attacker can utilise the new SIM to obtain authentication codes, giving them direct access to all accounts.

Network Security Flaws

Most carriers’ SS7 network, which is used for text or call management, contains a number of security weaknesses that can be easily exploited. Hackers can get access to SS7 networks, allowing them to intercept any message received to or from your device. Hackers can use SS7 portals, for example, to send all intercepted messages to internet devices before rerouting them to their intended destinations. As a result, a verification code can be intercepted and used even before the owner can.

According to forensic expert Jonathan Zdziarski, text messages aren’t the greatest MFA method. “Mobile phones as a way of verification can be socially engineered out of your hands,” he said[2]. Because of this and other flaws, the National Institute of Standards and Technology (NIST) has advised businesses against implementing MFA based on SMS messages. Rather to sending SMS messages, NIST and other prominent organisations recommend using specific MFA apps like RSA SecurID and Google Authenticator, as well as dedicated secure hardware like dongles.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.