Why SMS-Based Authentication Is No Longer Enough For Secure Account Protection
Coinbase, one of the world's largest cryptocurrency exchanges, recently revealed that 95% of its account takeovers relied on SMS-based Multi-factor authentication (MFA) to secure their accounts. While offering SMS OTP as an authentication type is a step towards securing customer accounts, it is no longer enough to protect against the ever-evolving threat landscape.
About 95% of Coinbase’s customers utilize SMS-based authentication to secure their accounts—the weakest authentication method available on their platform. These same users made up 95.65% of all account takeovers Coinbase had experienced as of November 2022.
SMS-based Multi-factor Authentication, also known as OTP SMS authentication, involves receiving a one-time code via text message to verify the identity of the user attempting to access an account. While this method is relatively easy to set up, there are now more secure authentication methods that offer a higher level of assurance to both technology providers and customers. Hackers can intercept SMS messages, SimSwapping can take place, and phishing attacks can convenience users to provide their one-time password codes to bad actors.
In fact, the use of SMS authentication is so vulnerable that the National Institute of Standards and Technology (NIST) removed it from its list of recommended authentication methods back in 2016. NIST cited the weakness of SMS-based authentication in its guidance on Digital Identity Guidelines, recommending that organizations move to more secure methods of authentication.
Stronger Authentication Types
So, what are the alternatives to SMS-based authentication? The most secure method is to use a physical security key, such as YubiKey, which plugs into a computer's USB port or connects via Bluetooth. Security keys generate a unique code each time they are used, making it nearly impossible for hackers to intercept the code or use it for unauthorized access.
Another option is to recommend TOTP authentication apps, such as Google Authenticator or Authy. These apps generate one-time codes that users enter to access their accounts. Authentication apps are more secure because the codes are generated locally on the user's device and not sent through a vulnerable network like SMS.
Lastly, push authentication is a mobile-centric authentication whereby the service provider sends the user a notification over the most secure available communication channel. The user responds to the challenge by performing an action to verify their identity and access the service.
The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure. As threats continue to evolve, it is imperative that users adopt more secure authentication methods, such as physical security keys or authentication apps, to safeguard their online accounts. As a platform provider, it is your responsibility to take proactive measures to educate your customers and help them to protect their digital assets and personal information.