MFA Post 3: SMS Codes

 When most people encounter multi-factor authentication it is through SMS codes, a type of possession proof that relies on possession of a phone tied to a known phone number. These are short text messages sent to your phone with a numeric code that you are supposed to type in addition to your password to log in. The codes are (hopefully) random, and (hopefully) only valid for a short period of time. Typically, they are six digits, but some implementations use words or codes of different lengths. 

SMS Codes are by far the most common implementation of MFA, likely because it is easy to implement and works with something most people have already: a mobile phone. When these first started becoming wide-spread one of the advantages was claimed to be that they worked without a smartphone, but at this point very few people have a phone that can receive SMS codes but that cannot run an app, so that advantage has disappeared. Nevertheless, SMS codes remain widespread. 


SMS codes are relatively easy to implement and require only that the customer has a phone with them, which most of us do today. They also are very easy to use. Almost everyone can figure out how to use them. In fact, if the relying party (the thing you are logging into) knows your phone number you don’t really even need to enroll in MFA for them to use it, although they typically ask you first since some cell phone plans still require you to pay for SMS messages. Apple has even simplified submitting them by offering auto-fill for SMS codes in Safari on iOS and MacOS.

SMS codes have an additional advantage that nearly no IdP takes advantage of: they can provide context for the authentication. The vast majority of SMS codes are delivered in a message like this:

1 of 2

Here is your code: 123456

Please note that this message may incur additional charges from your mobile phone company. You are solely responsible for these

2 of 2


It is possible to include information that would provide some useful context in the message. For instance, if you are looking at a login screen for your bank and get the SMS code in a message that looks like this you may think twice about using it:

Thank you for initiating a transfer of $10,000 to a bitcoin wallet with identifier NorthKoreanHax0r. Here is your code to complete this transfer: 654321.

This is an example of something called “step-up authentication”, which I will talk about more in a later article. The point here is merely that the service could actually provide some useful context for why you are getting this code.

There are three main types of attacks against user accounts today: phishing (and related man-in-the-middle attacks), credential stuffing, and password guessing (sometimes called a password spray). In a later article, I will talk more about each of these, but for now, we just need to know some basics. Phishing is where the criminals fool the user into submitting their authentication claims to a fake site controlled by the attacker. Credential stuffing is where the criminals use username/password pairs stolen from somewhere else and try them against a particular service. Password guessing is where they simply try some small number (usually 10-15) common passwords to see if they work. 

SMS codes do erect barriers against credential stuffing and password guessing. The criminal would have to capture an SMS code in addition to having or guessing the correct password. There are stronger protections that can be used but it is disingenuous not to recognize that SMS codes do offer some protection against those threats. 


Where to start? There are so many disadvantages to SMS codes. First, they can be intercepted with relative ease. The underlying system that delivers SMS messages to your phone was designed in 1975 without many security considerations in mind. It was designed for phone companies, and they are a lot more interested in accurately being able to bill you than in your security. In the original protocol, while your phone authenticates to the cell phone tower, the cell phone tower doesn’t authenticate to your phone. Although this was addressed in 3G, it is possible for an attacker to downgrade to a vulnerable protocol. Consequently, for a few hundred dollars, an attacker can build a fake cell phone tower - an IMSI-Catcher - and relay your signals. Owing to other protocol vulnerabilities they can then read your SMS codes, along with any other SMS message you send or receive. 

Next, as implied above, the fact that you are getting a code to log into a particular site does not mean you are actually at that site. SMS codes do not really mitigate phishing attacks. They only mitigate offline phishing attacks. If you are staring at a phishing page that just captured your password, the attacker could very easily submit it, trigger the SMS code, and ask you for that as well. At that point, they have everything they need to log into the legitimate site. This is sometimes referred to as SMS Phishing, or smishing. 

Consider the message above. It does not even tell you where it is from. Most companies that use SMS codes use a service for them, meaning that the codes for multiple companies come from the same number. For instance, Marriott, Schwab, and United Healtcare all send messages from the same number. This is probably a minor issue, but could cause user confusion.

Finally, phone companies have a checkered history of protecting your phone number. A friend called me once and asked for help in getting his email account back. A criminal had contacted customer service for a top-1 mobile phone carrier, convinced them they were my friend, further convinced them that they had lost their phone and bought a new one, and gotten the phone company to register their SIM card (Subscriber identity module card - the little smart card in your phone that identifies your phone to the phone company) to his phone number. Because he had configured SMS MFA on his email account the attacker was then able to request a password reset for his email account. The only authentication claim the email provider requested for this (because of how he the account was configured) was an SMS code. As the attacker now controlled the phone number the code was sent to their phone, not his. This is referred to as a SIM Swap Attack. 

These types of attacks are quite common and although phone companies have taken steps to address them they still keep happening. Most carriers now offer some kind of port-out protection for your account. They may also offer PIN codes. You should contact your carrier and see what options they offer. 

While most security professionals, myself included, disparage SMS codes, some go so far as to argue that SMS codes offer a false sense of security. There are far superior, i.e. more secure, options, but technically superior technology is often shunned in favor of the one that more people can actually use. This is definitely the case with SMS codes. Therefore, in spite of all their weaknesses, I stand by my claim that if it is the only MFA solution offered, you should use it. Any MFA is better than no MFA. 


Popular posts from this blog

U2F, FIDO2, and Hardware Security Keys

The Busy Executive’s Guide to Personal Information Security

Single Sign-On