What Is SMS 2FA? Text Message Authentication Explained

SMS 2FA is a type of authentication often used next to the standard password during Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA). SMS 2FA involves sending a short one-time password (OTP) to the user via text message. The user must enter the one-time password into the log-in form to prove their identity and gain access to their account.

SMS-Based Two-Factor Authentication does not require your phone to be online, an advantage over many other authentication methods that require a stable Internet connection.

How Does SMS Authentication Work?

SMS Authentication is straightforward, which may be why it is still so popular, even though so many more secure authentication methods are available.

In general terms, SMS Authentication works as follows:

1. User enters their password

2. User receives an SMS with a one-time password

3. User enters the password in the log-in form

4. User gains access

The majority of MFA/2FA providers supports SMS Authentication. For instance, Rublon supports SMS Authentication in the form of a text message one-time password authentication method and calls this authentication method SMS Passcode. The following image portrays the Two-Factor Authentication (2FA) process with Rublon’s SMS Passcode.

1. User starts the log-in process

2. User enters their login and password

3. User selects the SMS Passcode authentication method

4. User enters the SMS Passcode into the log-in form

5. Rublon API checks if the code is correct

6. If the code is correct, the user gains access. If not, Rublon denies the user.

Pros and Cons of SMS Authentication

Similar to other authentication methods, SMS Authentication comes with its unique pros and cons.

Pros of SMS 2FA:

• Works offline – Phone does not have to be online.
• Low learning curve for users – SMS authentication is ubiquitous and easy to perform.
• Any phone that supports SIM cards suffices – No need for expensive smartphones.
• Requires no additional hardware or software – Users do not have to install or buy anything new.
• Mobile operating system does not have to be kept up to date – Authenticator apps may not work on older versions of the system – not a problem with SMS authentication that works even on the oldest phones.

Cons of SMS 2FA:

• Expensive – Every single text message costs money.
• One-time passwords have a long lifetime – SMS OTPs expire after several minutes, which gives attackers time to conduct a cyberattack.
• SIM card can be easily removed and installed in another phone – An attacker needs only several seconds to remove the SIM card from your unguarded phone.
• Vulnerable to SIM swapping attacks – An attacker takes over the mobile phone number by cheating the mobile telecom provider into linking the number to the attacker’s SIM card.
• Susceptible to SIM duplication attacks – An attacker uses SIM card copying software to create a copy of the real SIM card.
• Vulnerable to SS7 attacks – An attacker exploits a vulnerability in the Signaling System 7 protocol to eavesdrop on your text messages.
• Vulnerable to rerouting attacks – An attacker reroutes your SMS messages to their own device.
• Susceptible to malware attacks – When your phone gets infected with malware, the attacker will be able to look up your text messages and see the passcode that you have just received.
• Vulnerable to shoulder surfing – SMS notification with a visible passcode can also leak through the phone’s lock screen, leading to an unauthorized party obtaining the code.
• Dependent on the device – Losing your phone or SIM card locks you out of your account.

SMS 2FA Alternatives

Given the many cons of SMS 2FA, you may want to consider an alternative way of MFA authentication. The three most popular alternatives are:

TOTP Passcodes

TOTP Passcodes, or Mobile Passcodes as we call them, are the most popular alternative to SMS 2FA. TOTPs use the Time-Based One-Time Password (TOTP) algorithm.

During TOTP 2FA, you enter a one-time password generated by a mobile app installed on your smartphone. Importantly, a new one-time password is generated every 30 seconds to give little time for a potential attacker to conduct a cyberattack.

Mobile Push

Mobile Pushes are authentication requests in the form of phone notifications that pop up on your screen. Depending on the authenticator app, you may be required to open the app before seeing the push.

After you open the push request, you can inspect the information about the log-in attempt (location, time, username, email address) and either accept or deny the log-in attempt.

Mobile Push is one of the most secure authentication methods. It is a cost-effective solution that, in comparison to TOTP and SMS Authentication, does not require the user to enter any values manually. Thanks to this, Mobile Push is resistant to many types of attacks, e.g., keylogging. In addition to that, Mobile Push is a valid form of Out-of-Band Authentication (OOBA).

WebAuthn/U2F Security Keys

WebAuthn/U2F Security Keys are by far the most secure 2FA option out there. Security keys have few disadvantages, but their cost is one of them. Nevertheless, if you can afford them, such keys prove to be extra secure.

WebAuthn/U2F Security Keys are hard to compromise and have been found super-effective against Man-in-the-Middle (MITM) attacks. 

Some new variants of Security Keys, e.g., YubiKey Bio, support biometric authentication. Such biometric keys combine two strong authentication factors (what you have and who you are) to ensure top user security.

Rublon Supports SMS 2FA (And More!)

Rublon is a comprehensive Multi-Factor Authentication (MFA) solution that protects your cloud applications, VPNs, and Remote Desktops using several authentication methods, including SMS Authentication.

If you would like to test Rublon for your workforce, you can do this for free: