Is SMS the best choice for two-factor authentication?



It goes without saying that security is a big concern for people at the moment. It seems every time I pick up the paper, there’s been another major data breach, while stories of fraud are still all too common.

Did you know recent figures from the Office for National Statistics suggested that fraud (most of which goes unreported) might make up as much as half of all crime in the UK, with one in ten people falling victim last year? This means millions of us have first-hand experience of what it’s like to be on the wrong end of this type of crime, which is why there’s so much demand to ensure our details are secure.

It’s an especially serious issue for the financial services sector. Gaining access to someone’s finances, whether by stealing payment card details or login credentials for an online service, is one of the easiest ways to drain victims of their money. But how should these firms be preventing this?

The need for two factor authentication

One of the most common types of fraud – and one where contact centres are often on the front line – is identity theft. In its most basic form, this involves a criminal logging into someone’s account with stolen credentials, allowing them to authorise payments.

This can happen because – despite countless warnings – people still persist with poor passwords. Too many people either reuse the same password over and over again, or go for painfully obvious choices like their pet’s name, or ‘password’.

It’s often said the answer to this is two-factor authentication. The principle here is that a password alone won’t get you through the door. Instead, you first need to further prove your identity with a second challenge, just like if you want to withdraw money from an ATM, you need both your card and your PIN on hand.

This can involve a second security question, a physical token you plug into a USB port, a biometric scan such as a fingerprint or, as is increasingly the case for banks, a one-time code sent by SMS to a user’s phone.

The problems with SMS

You can see why this is a popular choice. There’s no fiddling around with other tokens, and it’s very easy to set up. Almost everyone has their phone with them all the time – indeed for some people, it’s practically attached at their hip – so it’s usually seen as the most convenient way of proving your identity.

But is it the best? Not necessarily, as new guidelines from the US National Institute of Standards and Technology (NIST) make clear. While it stops short of recommending the technology be banned altogether, it does urge organisations to consider alternatives. The body has called for the phasing out of SMS as an option for two-factor authentication, citing its many inherent security flaws.

The most obvious of these is if a phone itself is stolen or otherwise falls into the wrong hands. But there are several other security problems, such as the risk of SIM swapping. This means somebody unlawfully obtains an identical SIM card to a mobile user and redirects messages away from the intended recipient, leaving their accounts open to attack.

Aside from this, there are practical considerations – a phone will need to have battery and signal, for example, in order to be useful. And SMS messages are not always instant, which slows down the process.

Can SMS be made secure?

At Aspect, we agree with NIST that SMS alone isn’t good enough for effective two-factor authentication. But there are steps the banking sector can take to add stronger security to the technology in order to boost security and increase customer confidence.

If SMS is still being used, it needs to be supported by a range of additional checks that can verify that it is secure. These include advanced fraud detections that can tell if a message is being diverted, or location data that knows if a person is where they say they are.

The key factor here is that they should operate behind the scenes. If these extra measures are implemented well, consumers won’t even notice them, but they form a key part of the additional security that today’s users need in order to feel safe when using a banking contact centre.

It’s a tricky issue for financial services firms, who need to strike a careful balance. Of course customers demand the highest possible levels of security – but only if it doesn’t interfere with the transaction in any way.

Many banks still haven’t found this balance, which is why we’re working hard with the industry to find ways to secure authentication without affecting people’s experience. While SMS alone doesn’t satisfy today’s security demands, with the right additional safeguards in place, it still has an important role to play in verifying customers’ identities.

For more information, visit here