Why Using SMS in the Authentication Chain is Risky

Learn how best to deliver 2FA without relying on SMS and voice.

Learn More

Why Using SMS in the Authentication Chain is Risky

Security is an important topic today and one of the most common ways to better protect your applications accounts is by adding two-factor authentication (2FA) to the login process. However, a vast majority of 2FA is done via SMS, and we are seeing more and more vulnerabilities where SMS is now considered to be a very insecure 2FA method.

Simon Thorpe, Director of Product for Authentication at Twilio, spoke at OWASP’s 13th Annual AppSecUSA Security Conference in Washington, DC. He discusses why passwords just don’t work for security, and how best to deliver 2FA without relying on SMS and voice.

Short on time? Here are the top takeaways:

  • While SMS/voice isn’t the most secure option for 2FA, it’s still far better than no 2FA at all. Sending the One Time Password (OTP) via SMS/voice 2FA to existing username/password logins is still advisable.
  • There are even better methods for 2FA such as creating the OTP offline in your mobile device. This is what’s known as Time-based One Time Passwords (TOTP).
  • Rather than trying to stay on top of an authentication landscape that changes quickly and often, migrating to a service lets you partner with a vendor who specializes in platform security and availability, and bring you only the best, fully-vetted features.