2021: The Year of Ditching SMS OTP as 2FA?


Is this the year we say goodbye to SMS OTP two-factor authentication?

In 2017, the National Institute of Standards and Technology of the US Department of Commerce said SMS for 2FA was a deprecated solution. Unfortunately, in 2021, not much has changed.

Today, SMS OTP is still the most widely used method of two-factor authentication, used by about one-third of mobile users. Yet, fraudsters manage to circumvent it every day.

While the tech community, ourselves included, recognizes the fact that having SMS OTP two-factor authentication is better than relying on your email and password only, it’s clear that this type of 2FA may very well be left in the past.

In addition to the security risks, the user experience of SMS OTP 2FA itself isn’t up to par with today’s standards either. You have to type in your phone number, request an SMS, wait for it to arrive before you finally put the code in – and that’s if the code ever arrives.

So, is this the year of ditching SMS OTP as 2FA? It should be, but only if it’s in favor of better mobile security solutions.
Let’s first talk about why this is the time to ditch SMS OTP for 2FA before discussing better alternatives for secure and seamless mobile authentication.

Why It Is Time to Ditch SMS OTP as 2FA

As I’ve stated above, SMS OTP as 2FA comes with multiple shortfalls for all parties involved. Let me list out some of the biggest issues of SMS OTP for 2FA.

SS7 Technical Flaw Security Risks

For as long as I’ve worked in this industry, the SS7 vulnerability was a source of concern, and that hasn’t changed since 1975 when it was originally introduced.

Mobile networks carry within SS7 technical flaws that can be used to intercept or reroute an SMS message that contains your one-time password. Scary, right?
It’s precisely why so many different actors including the aforementioned NIST have called SMS OTP for 2FA an outdated mobile authentication solution.

SIM Swapping Security Risks

Have you read my article about the practice of SIM Swapping? It’s a major concern.
SIM swapping is when a fraudster gathers enough of your private data to trick your mobile provider into issuing them a new SIM card with your number, meaning that they will now receive every 2FA code and easily gain access to your accounts.

While this may sound tough to pull off, the fraudsters only really need some personal identifiers like your first and last name, social security number, DoB, or your ID.

Do you remember the infamous Twitter hack? This is actually how Jack Dorsey’s Twitter account was hacked.

Friction in User Experience

User experience has become one of the determining factors when it comes to user adoption in any industry globally. Did you know that 70% of users prefer an authentication option for its ease of use?

Now take a look at SMS OTP 2FA. Would you say the user experience is smooth? My guess is not really.
As such, it’s clear to see why 64% of individual users don’t use 2FA for account protection. And why should they, when there are many user-friendly authentication options out there?

SMS OTP 2FA Is Not Cost-Effective

I can’t say it about you, but not receiving an SMS OTP when I want to sign up for a service is one of the most discouraging experiences that you can have as a user.

Last year, we partnered with CarGo who used to experience 12% unsuccessful SMS OTP deliveries. This bad onboarding experience can result in an up to 40% sign-up drop-off that negatively affects your bottom line.

Take that, then add to it the fact that companies are usually charged for every SMS OTP sent, even if it isn’t delivered, and you’ll understand how SMS OTP 2FA isn’t cost-effective.

Tech Giants Are Moving Away from SMS OTP 2FA

Finally, tech giants such as Google, Microsoft, and Apple have started to move away from SMS OTP for 2FA.

Google and Microsoft have released their authenticator apps while Apple has even gone so far as to propose a way to standardize SMS OTPs in order to improve security by preventing phishing attacks.
The big tech is leaving SMS OTP 2FA behind, and so should we. Where do we go from here?

SMS OTP 2FA Alternatives

Let’s have a look at better alternatives to SMS OTP 2FA.

Authenticator App 2FA, Higher Security at the Cost of User Experience

Do you use authenticator apps? I personally do, whenever it is available because it is more secure than SMS OTP two-factor authentication.

However, it has to be noted that the user experience deteriorates even further when compared to SMS OTP 2FA.

To authenticate using this app, the user now has to completely exit the app they’re trying to use, open their authenticator app, generate a code, and then go back to the original app to put it in.
That’s why the use of this type of 2FA remains popular in the companies where employees are required to use them, but not in the individual user sector.

Biometrics, Great User Experience with Privacy Concerns

Biometric authentication is at its strongest when it comes to user experience. You use it on your phone, I use it on my phone, it authenticates our accounts within seconds, and it rarely ever fails.

However, concerns arise pertaining to data privacy, and with good reason. If a fraudster pwns your password, you can change it. But if your biometric data falls into the hands of a cybercriminal, you can’t exactly change your fingerprint or facial features.

But surely it isn’t that easy to hack? This will depend on the manufacturer of your device. This mobile authentication method hasn’t yet been truly standardized which is why we’ve seen hackings of various biometric options on different devices.
Be that as it may, biometrics is a huge step-up from SMS OTP 2FA, especially if some wider standardization of biometric authentication was to be implemented.

IPification, the Trifecta of Security, User Experience and Data Privacy

When we were developing IPification, we made sure to uphold the standards of security, user experience, and data privacy. Let me briefly elaborate.

Similar to SMS OTP 2FA, IPification leverages and monetizes the capabilities of mobile network operators. When you think about it, it makes sense – mobile network operators have the most power when it comes to managing our mobile IDs. More importantly, they already have a powerful tech infrastructure in place.

After installing our proprietary GMiD box on the operators’ networks, IPification assigns a unique mobile identity key to each user.

This key is based on the user’s phone number, SIM card, and device data, and the user is verified without actually transferring any private data over the network so that it stays secure. Users are only verified according to their full mobile identity key, so fraudulent activities such as SIM swap aren’t a problem either.

Best of all, users are authenticated within milliseconds after requesting the verification with only one click.

Do you want to know more? Schedule a call with us.

More on our blog