Why you need to rethink the benefits of SMS authentication to improve security

A few weeks ago, tyntec approached me to discuss a new paper, “Unlocking the Mobile Security Potential: The Key to Effective Two-Factor Authentication” (read it here). What caught my interest was the assertion that using SMS to deliver one-time-passwords was poised for success.

I cringed.

After all, if we don’t control the network from end to end, lack insight to who controls the device, and question if the device is even protected, doesn’t this just set the stage for failure?

Despite my instinct to dismiss the claim as marketing run amok, I wanted to learn more. I candidly shared my skepticism and invited them to change my mind.

They did. Well, my discussion with Thorsten Trapp, CTO of tyntec, did.

What is authentication?

Before of defining the problem in terms of solutions (because it never works out – read about it here), take a second to step back to consider authentication.

Authentication is the process of verifying that someone is who they claim to be. The process to verify an identity is based on one or more factors:

• something you know
• something you have
• something you are (biometrics); look for considerations here soon

Reframing the attack on password authentication

Recent uproar about password authentication is less attack on passwords and more properly a concern over the limitations of relying on single-factor authentication. It’s not really about passwords.

The result is a growing trend to adopt the use of two or more factors. Typically called “two-factor authentication,” it’s sometimes presented as two-step authentication (or even verification). And while there may be subtle (and important) differences between the terms, the key is considering the outcome.

What problem are we trying to solve?

The challenge we need to solve: how to improve the strength of authentication to thwart attackers’ desire to gain credentials without creating more complexity and pain for the people who need to use the solution.

Perfect is the enemy of the good ~ Voltaire

For many of us, the desire is to find the perfect solution. We place focus on designing a solution to withstand a myriad of potential (though not always likely) attacks.

When asked about this, Trapp pointed out that the purpose isn’t perfection. It’s not encryption. The goal is to create the right experience for the people relying on the system while making it harder for “drive-by” and attacks of convenience. Bingo!

“It needs to be simple. It has to work.” Trapp explained that means considering the entire system and experience. As the world embraces mobile technology, the solution needs to do the same in a way that improves on current solutions. Trapp focuses on input validation and other methods to reduce accidental errors that cause future problems.

The white paper has some interesting findings (link), summed up nicely by a brief infographic here. 

Why two-factor authentication by SMS deserves a second look

Reframing the challenge as a method to improve authentication with a better experience changes the viability of solutions. With mobile computing on the rise, it makes sense to consider it.

Consider two major benefits:

1. Convenience: a majority (and growing) of people have mobile devices with SMS capability; sometimes the best solution is the one people will use.
2. Out-of-band: using SMS is different than relying on the IP-based network. It’s physically out of band. It increases the challenge for an attacker.

Out-of-band is interesting. Is it possible for someone to intercept SMS? Yes. A well-financed attacker with access to the carrier networks can absolutely intercept the secondary password.

The important question, though, is “how likely is that scenario?” While some situations call for a higher standard, this sort of attack isn’t likely for most. Using SMS is worthy of consideration as a solution to improve authentication without a lot of additional effort.

A global perspective

Part of my initial hesitance to SMS authentication was based on my understanding of how SMS operates on US carriers. What Trapp helped me understand is that the balance of the world uses a different model. In fact, the approach tyntec uses was both rather technical and compelling.

I found it a refreshing reminder that in a global environment, sometimes it helps to broaden our field of view. When we think of solutions, we tend to use the field of view we currently have, then substitute that view for the world view (read more about how visualization helps here).

What it means and how we can improve

Sometimes the effort to build better security solutions gets obscured a bit by a quest for perfection. When we step back to consider the challenge and define reasonable outcomes, new pathways emerge.

To improve authentication for most, reconsider how to use existing infrastructure to develop solutions. Reconsidering SMS means the possibility of more convenience, a better experience, and using an out-of-band mechanism that works for almost everyone. 

It’s a good start.