Generic selectors
Exact matches only
Search in title
Search in content

It’s official: text message-based two-factor authentication is not safe

08/12/2016 / 1 Comments

It’s been common knowledge for some time now: SMS-based two-factor authentication is easily hackable and does not provide adequate protection for user accounts. The U.S. National Institute for Standards and Technology (NIST) published their Digital Authentication Guideline stating that SMS-based two-factor authentication should no longer be used as authentication method. The exact paragraph states:

“If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”


Simply put: SMS were never meant to be used for sensitive data. Not for confidential communications and definitely not to transmit authentication credentials. SMS-based two-factor authentication is vulnerable from several points of attack. The main argument NIST uses is the lack ownership proof. Anybody can obtain a phone and there is no way to verify the authenticated phone is in the possession of the user.

Additionally, accounts have been hacked by employing a design flaw in the SS7 (Signaling System Number 7) to hijack the SMS to the phone of the attacker. Other ways to obtain the one-time password send via SMS is by apps that have access to the text messages on the phone (for example Google Messenger or Hangouts). Text messaging is the most vulnerable application on a smart phone with several apps having unlimited access to the SMS.

Also, VoIP services may be used to hijack an user account. For banking services using a SMS-based authentication system frauds using cloned SIM-cards are known.

SMS-based two factor authentication is also extremely vulnerable to phishing methods.


It is now official that SMS-based two-factor authentication is not a safe alternative. If you have been using that kind of authentication you should follow the guideline and switch to a non-SMS-based two-factor alternative. If you are relying solely on passwords to secure your user accounts, you should switch to two-factor authentication as soon as possible. Most providers offer a secure two-factor authentication, including Facebook or Google.

If you are for example developing services for customers, as in apps or other services, you can use our easy SecSign ID plugins and interfaces for easy and secure user protection. Be ahead of your competitors and give your user a peace of mind.


Two-factor authentication provider offer a long list of authentication methods other than SMS, from calls to QR code to simple push notifications. Every method has advantages and disadvantages, but with the SecSign ID we managed to combine the best features to offer a solution that outmatches other authentication solutions.

sms vs auth features

SecSign 2FA