A few weeks ago, tyntec\u00a0approached me to discuss a new paper, "Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication" (read it here). What caught my interest was the assertion that using SMS to deliver one-time-passwords was poised for success.\tI cringed.\tAfter all, if we don\u2019t control the network from end to end, lack insight to who controls the device, and question if the device is even protected, doesn't this just set the stage for failure?\tDespite my instinct to dismiss the claim as marketing run amok, I wanted to learn more. I candidly shared my skepticism and invited them to change my mind.\tThey did. Well, my discussion with Thorsten Trapp, CTO of tyntec, did.\tWhat is authentication?\tBefore of defining the problem in terms of solutions (because it never works out - read about it here), take a second to step back to consider authentication.\tAuthentication is the process of verifying that someone is who they claim to be. The process to verify an identity is based on one or more factors:\t\t\tsomething you know\t\t\tsomething you have\t\t\tsomething you are (biometrics); look for considerations here soon\tReframing the attack on password authentication\tRecent uproar about password authentication is less attack on passwords and more properly a concern over the limitations of relying on single-factor authentication. It's not really about passwords.\tThe result is a growing trend to adopt the use of two or more factors. Typically called "two-factor authentication," it's sometimes presented as two-step authentication (or even verification). And while there may be subtle (and important) differences between the terms, the key is considering the outcome.\tWhat problem are we trying to solve?\tThe challenge we need to solve: how to improve the strength of authentication to thwart attackers\u2019 desire to gain credentials without creating more complexity and pain for the people who need to use the solution.\t\t\tPerfect is the enemy of the good ~ Voltaire\tFor many of us, the desire is to find the perfect\u00a0solution. We place focus on designing a solution to withstand a myriad of potential (though not always likely) attacks.\tWhen asked about this, Trapp pointed out that the purpose isn\u2019t perfection. It\u2019s not encryption. The goal is to create the right experience for the people relying on the system while making it harder for "drive-by" and attacks of convenience. Bingo!\t\u201cIt needs to be simple. It has to work.\u201d Trapp explained that means considering the entire system and experience. As the world embraces mobile technology, the solution needs to do the same in a way that improves on current solutions. Trapp focuses on input validation and other methods to reduce accidental errors that cause future problems.\tThe white paper has some interesting findings (link), summed up nicely by a brief infographic here.\u00a0\tWhy two-factor authentication by SMS deserves a second look\tReframing the challenge as a method to improve authentication with a better experience changes the viability of solutions. With mobile computing on the rise, it makes sense to consider it.\tConsider two major benefits:\t\t\tConvenience: a majority (and growing) of people have mobile devices with SMS capability; sometimes the best solution is the one people will use.\t\t\tOut-of-band: using SMS is different than relying on the IP-based network. It's physically out of band. It increases the challenge for an attacker.\tOut-of-band is interesting.\u00a0Is it possible for someone to intercept SMS? Yes. A well-financed attacker with access to the carrier networks can absolutely intercept the secondary password.\tThe important question, though, is \u201chow likely is that scenario?\u201d While some situations call for a higher standard, this sort of attack isn\u2019t likely for most. Using SMS is worthy of consideration as a solution to improve authentication without a lot of additional effort.\tA global perspective\tPart of my initial hesitance to SMS authentication was based on my understanding of how SMS operates on US carriers. What Trapp helped me understand is that the balance of the world uses a different model. In fact, the approach tyntec uses was both rather technical and compelling.\tI found it a refreshing reminder that in a global environment, sometimes it helps to broaden our field of view. When we think of solutions, we tend to use the field of view we currently have, then substitute that view for the world view (read more about how visualization helps here).\tWhat it means and how we can improve\tSometimes the effort to build better security solutions gets obscured a bit by a quest for perfection. When we step back to consider the challenge and define reasonable outcomes, new pathways emerge.\tTo improve authentication for most, reconsider how to use existing infrastructure to develop solutions. Reconsidering SMS means the possibility of more convenience, a better experience, and using an out-of-band mechanism that works for almost everyone.\u00a0\tIt's a good start.