Is SMS-based 2FA safe?

9 July 2023



SMS-based one-time passwords (OTPs) are a common form of two-factor authentication (2FA), but they may not be considered as safe as other forms of 2FA. While SMS-based OTPs are widely supported and easy to implement, they are vulnerable to a number of security risks. SMS-based OTPs are temporary passwords sent to your mobile phone via text message. When you try to log in, a unique code is sent to your phone. You enter this code on the website or app to complete the login process. It adds an extra layer of security by verifying that you have physical access to your phone.

Is SMS-based 2FA safe?

It is important to note that while SMS-based OTPs offer some level of security, they are not considered the most secure method due to potential vulnerabilities. The reason being that SMS messages can be intercepted, either through a technique called "SIM swapping" or by exploiting vulnerabilities in the underlying protocol used to route text messages. Once an attacker has intercepted an SMS message containing an OTP, they can use it to gain access to the user's account.

What are my alternatives?

  1. Push notifications: This method uses a mobile app such as ‘OneSignal’ to send a push notification to the user's device, which they can then approve or deny. 
  2. Software tokens: This method uses a mobile app or a program running on a computer to generate a code that changes periodically, which the user can enter to authenticate.
  3. Hardware tokens: This method uses a small physical device, such as a key fob, to generate a code that the user can enter to authenticate.
  4. Biometric authentication: This method uses fingerprints, facial recognition, or other biometric data to authenticate the user.
  5. Email-based 2FA: This method sends a code to the user's email that they can use to authenticate.

Final Thoughts

While SMS OTPs are still considered a viable option of 2FA, using an app-based token, a hardware token, or biometric authentication, can be more secure. It is important to use the 2FA method that best fits your needs, and that you trust the provider and the implementation.