Two-Factor Authentication (2FA) Explained: Email and SMS OTPs

  • sms broadcast, sms blast, sms otp, sms masking, sms LBA, sms marketing, sms gateway, sms promo

Two-Factor Authentication (2FA) Explained: Email and SMS SMS OTPs

One time passwords (SMS OTPs) are a popular choice for organizations looking to step up their security with two-factor authentication (2FA). These randomly generated passwords are only valid for a single login session and overcome many of the vulnerabilities of traditional passwords.

There are multiple delivery methods for SMS OTPs—each with its own advantages. Organizations looking into SMS OTP authentication options need to explore and understand which delivery method best meets their needs.

We recently took a closer look at the benefits and drawbacks of SMS OTP soft token and hard token delivery methods. This post focuses on on-demand delivery methods for SMS OTPs, specifically short message service (SMS) and email. While on-demand SMS OTPs are commonly used for first-time user logins and password resets, a large number of companies—especially in the financial industry—use SMS and email SMS OTPs as an extra user verification step.

How On-Demand Tokens Work

The process begins with a user first logging in to a system with his or her username. This triggers an on-demand SMS OTP to be sent to the user’s mobile phone number or email address, depending on which delivery method the organization has in place.

The user retrieves the SMS OTP and enters it into the prompt to verify the user’s identity and gain access. Unlike hard and soft SMS OTPs, on-demand SMS OTPs are often event-based rather than time-based, meaning they are not time-sensitive. However, as with other SMS OTP delivery methods, on-demand SMS OTPs are not reusable and expire after being used.

Benefits of On-Demand SMS OTP Delivery

Ease of Use

On-demand SMS OTP delivery methods are easy to use and convenient because users don’t have to download and configure a separate app, as with soft token SMS OTPs and push notifications; remember anything, as with traditional password; or carry a separate card, key fob, or USB, as with many other authentication methods.

With on-demand delivery, SMS OTPs are sent in real time, and the user typically waits just a few moments to receive them. Many people already have their email open on their computer or their mobile devices readily at hand, so accessing email and SMS SMS OTPs is highly convenient. Furthermore, SMS messages can be delivered on mobile devices that aren’t smartphones, unlike other mobile-based authentication methods.

Low Cost

By leveraging a user’s existing mobile phone or email account, on-demand SMS OTP delivery methods offer significant cost savings over hard token options, which require separate hardware purchases and shipping costs.

Ease of Administration

Implementation of on-demand SMS OTP delivery methods is relatively simple for organizations. For example, with SMS delivery, companies often leverage telephone carriers’ existing SMTP-to-SMS gateways, and for users, there is no setup involved—they simply request a code at login. Because administration is so easy, SMS and email SMS OTPs are often used as a means of granting short-term access when deploying physical tokens or when having a user download an authenticator app is undesirable or too much of a hassle.

More Secure than Traditional Passwords

SMS OTPs overcome many shortcomings of traditional passwords because they are not reusable and, therefore, are not vulnerable to replay attacks, in which valid usernames and passwords are captured in network traffic and used to fool a system into granting access by replaying the request. For this reason, it’s more secure to use an SMS OTP in public computer settings, such as a console in a hotel business center or public Wi-Fi at an airport, where users run the risk of having their traditional passwords stolen by keyloggers.

Mobile devices and email accounts also have separate built-in authentication methods to prevent unauthorized access, including FaceID, TouchID, and login credentials, which provide an added layer of security. Additionally, because SMS OTP delivery is in real time, unexpected SMS OTP messages can alert users of hacking attempts, allowing them to investigate and take necessary action before it’s too late.

No Shared Secret to Crack

Hard tokens and mobile authenticator apps depend on a shared secret with the server that is combined with the current time to generate an SMS OTP, but attackers can crack the authenticator app or servers to uncover the shared secret, making it possible to clone your SMS OTP codes indefinitely. On-demand SMS OTPs, however, are just random values sent by the server, so there’s no shared secret to be exploited.

Drawbacks of On-Demand SMS OTP Delivery

Not Recommended by NIST

In July 2016, the U.S. National Institute of Standards and Technology (NIST) announced that SMS OTPs should no longer be sent to mobile phones via SMS message because the SMS OTPs can be stolen too easily. NIST also warned that the ability to receive email messages or other types of instant messages “does not generally prove the possession of a specific device,” so they should not be used as out-of-band authentication methods either. NIST instead recommends that organizations use more secure authentication methods, such as push notifications, soft SMS OTPs, and FIDO U2F tokens.

Increased Attack Surface

Many systems are involved in the delivery of an SMS or email—each with its own vulnerabilities. First, there are the internet protocols, wireless networks, and email service providers that deliver the SMS OTPs, and then there are the various third parties that messages can be relayed through (SMS middleware, telephone companies, mobile OS companies, VOIP companies, internet service providers, app authors, and so on). Finally, the SMS OTPs can be delivered to multiple devices (phone, computer, smartwatch, tablet, and so forth) and accessed and read by multiple apps on each device. The more links in the chain, the more points of weakness there are to exploit.

Additionally, although on-demand SMS OTPs may appear to be 2FA, where the SMS OTP is the “something you know” and the mobile device is the “something you have,” this isn’t necessarily the case. With email and SMS delivery methods, the “something you have” is really “something sent to you.” Many phone numbers today are not tied to a phone at all, such as those used through Google Voice. Other apps, such as Google Messenger and Hangouts, have access to a phone’s SMS inbox. If hackers gain access to these apps, they can also remotely access and steal a user’s 2FA codes. Furthermore, the phone number that the user used for registration might now belong to someone else or could even be hijacked by a hacker.

Can Be Spoofed

On-demand delivery methods are susceptible to spoofing, a phishing technique that hackers use to trick users into giving them account information or codes by pretending to be a legitimate source. An attacker simply visits the login page and requests a “reset password” 2FA code be sent. Then, the attacker sends the victim an SMS message or email that appears to be from a legitimate source and says something along the lines of: “Suspicious activity has been detected on your account. Respond with the code you received in order to prevent unauthorized access.” If the victim forwards the code, the attacker is able to gain easy access to the account.

Phone Accounts Can Be Hijacked

Phone accounts can be hijacked in what’s known as a SIM card swap attack. This is when hackers with some knowledge of their victims, such as the last four digits of their Social Security number, call the victim’s phone carrier and have the victim's phone number moved to a new device that’s in the hacker’s possession, so that the SMS OTPs can be intercepted. In one recent case, a hacker used publicly available information to persuade AT&T to reassign the victim’s phone number, then accessed the victim’s PayPal account using SMS 2FA.

Codes Are Sent in Plain Text

SMS and email messages are sent in plain text, meaning anyone who manages to intercept or get access to them can clearly read the SMS OTP.

Can Be Viewed Without Authorization

Many smartphone users enable text notifications to be visible when their devices are locked, so an SMS code could potentially be read by simply glancing over a user’s shoulder without the user’s knowledge.

Mobile and Messaging Shortcomings

Leveraging mobile phones for SMS OTP delivery presents shortcomings related to the devices themselves, including battery life, a user’s losing or forgetting the device, and some users not wanting to use their personal phones to receive SMS OTP codes for work purposes.

There are also issues related to the text messages themselves, such as occasional delivery failures, some users not having text messaging capabilities, and potentially incurring a per text charge from third-party messaging providers. Additionally, if an organization has many international users, the cost or added difficulty of sending local SMS can be prohibitive.

Requires Cellular Service or Internet Access

On-demand SMS OTPs require users to have cellular service (SMS only), Wi-Fi signal, or internet access in order to be delivered. If users are offline or out of network, such as on an airplane, in a remote area, or traveling internationally, they may be unable to access the codes.