SMS and Two Factor Authentication
Way back when I worked the corporate life, my company used two factor authentication in order to access the corporate network. I carried around a little device, about a third the size of a credit card but a little thicker, that generated a random series of numbers every ten seconds. In order to log into the system I had to enter the usual user name and password, followed by this magical random number.
It all worked great, until I lost it. The first time you lost it they’d ask a few questions and give you a new one. The second time they’d call your manager. If you lost it three times within a short period (a year or so) then you’d really get into trouble. But they were small and easy to lose. They were important though, because they were one part of the two part authentication needed to get to the protected network which became vulnerable every time one was lost.
That scenario is how traditional two factor authentication works. In order to be authenticated you need two pieces of information, each provided by a different piece of hardware. These days though, many companies are using the same basic concept, but sending those random numbers to users via SMS rather than a dedicated device. That other piece of hardware is now your mobile. Now my mobile is something I’m not going to lose. At least I haven’t yet.
Major companies are implementing it this way. For example, if you forget your Google password you can get it reset by asking them to send a one-time passcode to your mobile. Then you have to go to a specific webpage, enter your user name and the one-time code to be able to reset your password. There are other services I use that require the same procedure every time I log in from a new device or from a different location (based on IP address).
It’s convenient to use SMS for authentication. Much more so than less secure means like email. I’ve used some sites that will send an email with a link to reset your password. That’s great, but the biggest issue I’ve found with that is waiting for the email to arrive. Sometimes it’s there before I can even switch tabs. Sometimes it never shows up. Other times I’ve waited so long I’ve given up and moved on to something else. But SMS is fast and the messages usually arrive in a matter of seconds. They also have an advantage over email because the code actually arrives on another device (rather than the link in the email which essentially has the code built in or sometimes provided separately in the email). It’s the requirement for another device that makes this form of two factor authentication using SMS secure.
Well, it’s secure to a certain point anyway. Without going into a detailed security discussion (which I’m not qualified to do anyway. I know something about the topic, but I’m not an expert!), there are arguments on both sides on whether it is secure or not. Or rather how secure it is.
Both sides agree that it is possible to hack two factor authentication when the passcodes are delivered via SMS. It takes certain hardware (which is readily available to those who know what to get), and while the network itself provides some encoding there are ways around that too.
But the truth is that those approaches to hacking the passcode aren’t that practical in most circumstances. Stackexchange.com is a technology website where people can ask questions and get the technical answers they need. Someone asked if two-factor authentication using SMS is secure. You can read the whole thread, but here is a quote summarising the discussion:
Also, in summary, it seems that SMS is a reasonably secure means of transmitting short-lived secrets, e.g. for two factor authentication. An attacker must know your (phone’s) physical location, know when you’re likely to receive a secret, possess and know how to use what is most-likely pretty expensive radio equipment, and have completed a fairly involved project to run “a truly massive computation” (correctly). Attacks would almost certainly be made only against very high value targets.
All these concerns are directed at someone being able to intercept the passcode, which is usually only valid for a short time after sending. But in order for the passcodes to be of use, the attacker would also have to have the first part of the authentication too – your user name and password for whatever service you’re using.
There have been reports of new hacking strategies that trick users into installing or downloading software onto a computer to capture this data. That software captures keystrokes to get your email and passwords, then provides a fake popup requesting you provide your phone number. Somehow then, the software (or the hacker behind the software) can now see both sides of the two factor authentication and the entire system is compromised for that user. This scenario though, points out the need to raise awareness of users so they don’t become victims to these types of deceptive tricks that hackers use to gain control of computers.
It’s really a much bigger issue than just what I’m addressing here, so for the sake of argument let’s assume no one falls for these hacker tricks. Then using SMS for two factor authentication can be considered secure for practical purposes (also assuming the SMS messages aren’t being forwarded back to your computer via email which then negates the point of the “two” in two factor authentication).
How to use SMS for authentication
The benefit of using SMS messaging for authentication is that people have their mobiles with them all the time. It’s convenient for them to receive the passcodes quickly so they can get logged in and do their business, whatever that may be. At its simplest, the procedure goes something like this:
- The user requests a passcode be sent to recover account information (a password, user name, account number, etc.)
- The server (belonging to the organisation who has the account information) generates a random code made of numbers or numbers and letters
- That one-time code is sent via SMS to the user at the mobile number provided in the user’s profile
- The user then enters the code into the webpage the server redirected them to when they requested the code
- The server authenticates the passcode (to check it’s still valid as well as the correct code) and provides the user with the means to access the account
If everything goes well the user is granted access and they can get on with their business. Organisations looking to do this sort of authentication can use APIs to connect to SMS service providers which then handle the message delivery. It can be an elegant solution when implemented properly.
The fastsms API is designed for just these sorts of purposes. Developers can quickly make the calls they need to send or receive messages and integrate with existing software. If you want to know more about our services, click the live chat button to speak with our experts right away. You can also use our contact form, call or email.
SMS marketing is one of the most effective marketing tools businesses can use to raise awareness of their product and service, directly communicating with their target audience. As with everything you invest time and money into, you’ll want to understand how SMS messaging can help you to grow your business so that you see the direct return on your investment. Here we’ve listed out some of the key ways SMS marketing can help you grow your business, and achieve your objectives.
What is one almost guaranteed way of getting new customers? Ask for them. Really. Studies show that 83% of satisfied customers are willing to recommend a company, product or service to their family and friends. Here’s how you can use SMS to simplify and improve your referral marketing.
In this new A-Z of SMS Marketing, we explore every aspect of this highly effective and low cost marketing solution. In this infographic we look at the letter A, which stands for API Integration. One of the key features of the Fastsms system is the seamless, out of the box integration it offers with industry leading CRM platforms including WHMCS, SMI, APIANT, Rba, AdaptUX, Itris and Zapier. Take a look at this infographic to learn more.
You’re all excited about the number of new members you have in your health club thanks to your latest member drive. And you want to do everything you can to help them reach their goals and stay a member for a long time. Here’s a quick few steps to get you up and running as quickly as possible.
The Internet opened up mass communication in ways no one ever imagined it could. But there’s also another trend leveraging today’s communication technology: Communicating with just one person via applications. According to Transparency Market Research, the A2P SMS market will be worth over £45B in just a few years.
SMS text messaging is one of the most effective marketing tools you can use to raise the profile of your business, communicate with your customers and send direct information to the people you most want to target. It’s a highly cost-effective way to reach customers as most people carry a mobile phone on them every day. If you work within the retail sector, SMS messaging presents several opportunities for you to reach and connect with customers, with the aim of generating increased sales. For some of the main reasons SMS marketing is ideal for retailers, read on.
SMS marketing is one of the most popular forms of communication when it comes to efficient, cost effective customer contact. SMS marketing allows businesses to connect directly with their customers and customers the opportunity to contact your business at a time that suits them. Across several sectors including hospitality, leisure, and retail to name but a few, businesses are making improvements to their customer experience offering through effective SMS marketing. Here we’ve listed out some of the key ways SMS marketing can help to improve your customer experience offering.
By 2017 there will be 270 billion app downloads worldwide. And the Google Marketplace and the Apple App Store each have over 1.3 million apps available. You need to help people find your app if you’re to break through all that noise. Your website is a great place to start promoting your app, but maybe not in the way you might think.
Wеb dеѕіgn and digital marketing are lucrative but hugely competitive areas of buѕіnеѕѕ and in the modern marketplace, technology plays a central role to the success of both. Successful agencies large and small are able to harness the power of individuals with high levels of training and exceptional skills to deliver a service that has almost unlimited potential in today’s digital age. Many, however, have yet to discover the power of adding SMS Marketing to the mix. Read on to learn more.