Despite the National Institute of Standards and Technology (NIST) advising against using SMS-based one-time passwords (OTPs) as a two-factor authentication method over 3.5 years ago, this method is still being used. However, using SMS-based OTPs poses significant risks and can leave users vulnerable to various types of attacks.
According to the NIST, "at present, authenticators relying on telephony and Short Message Service (SMS)-based one-time passcodes (OTPs) are restricted."
The reason for this restriction is due to three main types of risks associated with this authentication method.
Firstly, SIM Swap attacks are a significant concern. This type of attack occurs when an attacker convinces the user's operator to transfer their phone number to a SIM card the attacker owns. In this scenario, the OTPs sent to the user's phone number now go directly to the attacker. Unfortunately, as a user, there is very little you can do to prevent a SIM Swap attack.
Secondly, malicious applications pose a risk even if the SMS OTP has arrived safely on the user's phone. A malicious application may be able to silently send the incoming OTP elsewhere and delete it without the user's knowledge.
Lastly, there are vulnerabilities in the Signaling System (SS7) that could allow SMS OTPs to be read despite the most advanced encryption used by mobile phone networks.
Despite these risks, it is still important to use two-factor authentication. We recommend downloading and using the Securify Identity mobile application for free on your phone to ensure secure authentication without relying on SMS-based OTPs.