Why you should STOP using SMS for multi-factor authentication

SMS for multi-factor authentication (MFA) is an awesome and easy method to add one more layer of security. As cyber security awareness is increasing, people are using different methods to secure accounts by using a different methodologies. Generation of OTP via SMS is one of the popular methods used for MFA. But this method is not SECURE now.

The National Institute of Standard and Technology (NIST), a government agency of the US, strongly suggests stopping using the generation of OTP via SMS for MFA. This blog discusses why should you stop using SMS for MFA and what measures should be taken by developers to reduce the likelihood of exploitation of SMS.

Why should you stop accessing using SMS for MFA?

Here we will discuss threats of using SMS for MFA. Below are the scenarios of leaking OTP generated via SMS:

(1) Interception in the Air

Encryption is not implemented in telecommunication and the whole communication is in cleartext. This attack seems to be difficult but actually, it may be possible by exploiting known vulnerabilities (e.g. abuse of femtocells) in telecommunication networks.

This type of issue is addressed by using the latest technologies in communication.

(2) Voicemail

If you have missed OTP via SMS, some app developers allow receiving of OTP on a phone call. If somehow you missed OTP, that will send to voicemail. If an attacker is able to access voicemail then OTP will access the user's account.

This issue may be mitigated by setting up OTP in voice calls that never go to voicemail.

(3) Installation of malicious app

If you have installed the malicious app on your mobile, the app may be forwarded SMS to the attacker or backend database.

This issue will be addressed by raising awareness among users and advise not to install a malicious app.

(4) SIM SWAP Attacks

If an attacker somehow swaps the SIM of the victim by compromising an employee of the telecom service provider. This will allow attackers to access of SMS of the victim and include access to authentication factors.

This type of attack is very difficult to address. But still, the whole responsibility lies with the telecommunication company.


Now it is high time to use alternate methods of multi-factor authentication. The alternate method is to use hardware or software tokens and push notifications in combination with PKI and local authentication.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *