The practicalities of SMS and token authentication solutions
MFA, or multi-factor authentication, is an essential security tool. MFA is a method to achieve strong authentication which combines multiple factors into an authentication dialogue. The use of multiple disparate factors increases the likelihood that the person using the identity being authenticated is genuine, because the complexity involved in getting all the authentication factors correct by chance or even systematic attack (in the one attempt) is very very low.
The higher number of factors involved increases the strength and complexity, but this must be traded off against the inconvenience factor involved. MFA should be used for any high value or administrative accounts used for the management of systems and/or financial transactions. MFA requires two or more pieces of evidence that indicate a legitimate user, often including several of the following: the knowledge that only that person would have, an object that only they possess, an inherent trait of the user (i.e a fingerprint), and even a physical location.
We use multifactor authentication in many different scenarios: swiping a credit card and then entering a PIN is an example of MFA that uses a unique possession factor (the card) and a knowledge factor (the PIN). Logging in to a website and being required to enter an additional one-time password that is sent to your mobile phone is another example of multi-factor authentication that adds extra security.
As digital security becomes more and more of a concern in our day-to-day lives, multi-factor authentication is becoming increasingly mainstream. There are several ways that it is often achieved, and in this post, we will look closer at two of them: SMS authentication and token authentication.
Sending messages to our mobile phones as an extra layer of security has long been an easy and popular way of achieving two-factor authentication for banks and other companies dealing with sensitive information. You have likely participated in this type of MFA: a one-time PIN or password is sent to you via text message, and you enter this into a website or app to complete the attempted action.
SMS as a method of two-factor authentication is commonly used in large part because it works for a lot of people. Almost everyone has a mobile phone which can receive text messages. This makes the SMS method almost universally effective. It’s user-friendly, easy to implement on a large scale, and does not rely on anything other than a functioning SIM card on your phone. For companies, setting up SMS authentication can be achieved with various tried-and-true platforms.
All that said, SMS authentication also has downsides. As security tech and methods have advanced, it is far from the most secure option. It has been shown that hackers and fraudsters can trick carriers into transferring an in-use number to a new SIM, gaining access to the PIN or password. A stolen device that is synced with your mobile phone (or, of course, the phone itself) could also allow criminal access to sensitive data or accounts. Mobile networks can also be vulnerable to attack, and there are other more mundane concerns such as the availability of reception in any particular location.
For this reason, another option has become popular for situations requiring optimal security.
Token authentication—using unique access tokens—is a wide-ranging category, and SMS can even fall under this umbrella. Mobile 2FA apps can also deliver single-use passwords and other authentication methods in a way that is slightly more secure than SMS, and software tokens are also used to generate secure verification codes.
A popular secure option is hardware tokens—that is, physical tokens or hardware which allow a very secure authentication. For this method, the authorised user has a physical device. This might be a small dongle with a screen that displays one-time passwords, a USB, a card (a credit or debit card is a form of token authentication), or some other form of physical identifier.
You may have used yourself or seen in use by accounting professionals physical banking tokens for large transactions. These are small devices that provide one-time passwords to the employees in possession of them. They are deployed in many different industries to protect financial transactions, sensitive data, and anything else requiring confidentiality and accuracy.
While both SMS and token authentication systems add an extra layer of verification, it is widely acknowledged that tokens, whether software or hardware-based, are the more secure option. However, SMS authentication is easier to implement, more affordable, and more accessible to a wide range of people. For this reason, each business in need of a multi-factor authentication system must carefully consider the advantages and disadvantages of each. In general, more high-stakes transactions or actions involving fewer people is the ideal scenario in which software or hardware tokens would be used. Lower stakes and a wider group of people using the system might call for SMS authentication.
To find out more about cyber security and multi-factor authentication, be it SMS, token, or any other method, get in touch with the CANDA team. As experts in all things ICT security and risk management, we can advise you on—and help you to set up—the authentication system that works best for your unique circumstances. Don’t fall behind when it comes to digital security!