MFA Post 7: Other Contact Mechanisms (Email, Phone,...)
In addition to sending codes via SMS some service providers may send codes via other contact mechanisms, such as email, phone, or various chat applications. These mechanisms are very similar to SMS: they are mechanisms to deliver a code to a user. Usually the code is 6 digits.
The security of these mechanisms varies and depends on a large variety of factors that are largely outside the scope of the mechanism itself. Email, and some of these other ones, are very often used as a possession proof for password reset as well. The assumption is that if you have access to the email account you must be the customer who registered an account with that email address. However, this creates a security dependency. The security of the account you are resetting the password for depends completely on the security of the email account. Sadly, most people do not protect their email account to the extent that would be prudent if you are going to make the security of your retirement account dependent on it. In most cases where email accounts are used in a password reset workflow the customer does not even get a chance to opt into this feature. They may not know this is how the flow works until after their account has been compromised. For this reason, you should always consider your personal email account to be as sensitive as all your most sensitive accounts and require the highest assurance level protection. Unfortunately, this is somewhat at odds with how the email protocols work and the protection offered by many email providers.
In terms of advantages, these mechanisms have the same advantages as SMS, with one additional one: people who cannot use SMS can sometimes use one of these mechanisms. For instance, call center employees may be barred from bringing mobile phones onto the floor. However, they may be able to get a code via email. Similarly, voice calls work over landline phones as well as cellular phones, although fewer and fewer people have those these days.
The disadvantages depend on the exact delivery mechanism. For example, voice calls over mobile phones are subject to the same interception risks as SMS. Email is sometimes transmitted in clear-text across the Internet. Although successfully intercepting Internet traffic is harder than we often seem to think, it is possible and the end user very likely will never know that this happened. If a user uses one of the many smartphone email apps that store data in their own clouds (such as the Outlook app and Edison Mail) the authentication codes and reset messages are stored on a third-party cloud service as well. They may even have been available to developers of those tools.
Email is not a real-time delivery mechanism. While we are used to it being very fast, it is not unheard of for codes to expire before they get delivered. Many people also have their email accounts set up on multiple computers, which means the codes get delivered to more than one computer. That increases its exposure to malware or monitoring tools if any one of those devices is compromised.
While most relying parties these days verify that you actually have access to the email account before they rely on using it for things like password reset, email verification is by no means universal. Many service providers still do not verify that you actually own the email address you gave them. Some customers actually use this in a misguided attempt to preserve privacy. In reality, it means the provider may send reset codes to addresses that the customer doesn’t actually own, allowing someone else to take over the account. Even if they verified it originally it does not mean the customer still owns it. Contact information used for sensitive purposes must be periodically revalidated.
Other delivery mechanisms, such as various chat applications, come with their own sets of advantages and disadvantages. It’s very difficult to enumerate them all, but as a general rule, these mechanisms probably should all be considered equivalent to SMS in terms of the level of assurance they provide. There may be differences but overall it’s a reasonable comparison.
None of these mechanisms are more phishing resistant than SMS, and possibly less so depending on the circumstances.
In conclusion, my advice to implementers would be to consider these mechanisms very carefully, especially when using them for password reset. The reality is that the vast majority of your customers do not protect their email accounts as well as they should considering that they are the vital piece that ties together their entire digital lives. I would encourage you to be extremely clear and transparent on this point and not just include it in the 16-page terms and conditions that nobody reads and that most service providers can’t act on even if the user tried.