Contact salesSign in
Current article

Why SMS-Based Authentication Falls Short for Account Security

Mar 30, 2023
Paul Bickley

Coinbase, one of the world's largest cryptocurrency exchanges, recently revealed that 95% of its account takeovers relied on SMS-based Multi-factor authentication (MFA) to secure their accounts. While offering SMS OTP as an authentication type is a step towards securing customer accounts, it is no longer enough to protect against the ever-evolving threat landscape.

The stats say about 95% of Coinbase’s customers are enrolleSMS-based authentication—the weakest 2FA method available. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.
Coinbase data 2023 - ATO by authentication type

About 95% of Coinbase’s customers utilize SMS-based authentication to secure their accounts—the weakest authentication method available on their platform. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.

SMS-based Multi-factor Authentication, also known as OTP SMS authentication, involves receiving a one-time code via text message to verify the identity of the user attempting to access an account. While this method is relatively easy to set up, there are now more secure authentication methods that offer a higher level of assurance to both technology providers and customers. Hackers can intercept SMS messages, SimSwapping can take place, and phishing attacks can convenience users to provide their one-time password codes to bad actors.

In fact, the use of SMS authentication is so vulnerable that the National Institute of Standards and Technology (NIST) removed it from its list of recommended authentication methods back in 2016. NIST cited the weakness of SMS-based authentication in its guidance on Digital Identity Guidelines, recommending that organizations move to more secure methods of authentication.

Stronger Authentication Types
So, what are the alternatives to SMS-based authentication? The most secure method is to use a physical security key, such as YubiKey, which plugs into a computer's USB port or connects via Bluetooth. Security keys generate a unique code each time they are used, making it nearly impossible for hackers to intercept the code or use it for unauthorized access.

Another option is to recommend TOTP authentication apps, such as Google Authenticator or Authy. These apps generate one-time codes that users enter to access their accounts. Authentication apps are more secure because the codes are generated locally on the user's device and not sent through a vulnerable network like SMS.

Lastly, push authentication is a mobile-centric authentication whereby the service provider sends the user a notification over the most secure available communication channel. The user responds to the challenge by performing an action to verify their identity and access the service.

💡Offering stronger alternatives to SMS is an excellent opportunity to improve both your security posture and enhance your customer experience with new technology.

The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure. As threats continue to evolve, it is imperative that users adopt more secure authentication methods, such as physical security keys or authentication apps, to safeguard their online accounts. As a platform provider, it is your responsibility to take proactive measures to educate your customers and help them to protect their digital assets and personal information.

Talk to an expertDemo PasskeysView docs
Article Categories
You might also like
Unlock Passwordless for AWS Cognito
Authsignal's flexible integration model allows you to easily switch from using AWS Cognito's hosted UI to using Lambda triggers inorder to implement Passwordless.
NIST Passkeys Supplementary Guidelines: April 2024 Part 2 Implementation
Our initial analysis addressed the new NIST supplement for passkeys, breaking down the changes and clarifying positions regarding synced/syncable passkeys. In part 2, we focus on implementation considerations.
NIST Passkeys Supplementary Guidelines: April 2024 Part 1
NIST's supplement offers clarity on FIDO2 Passkeys, especially syncable ones, aiding adherence to NIST AAL standards.

Secure your customers’ accounts today with Authsignal.