Sept. 9, 2024
Ever wonder how safe your accounts really are? In a world of cyber threats, using just usernames and passwords could leave you vulnerable to unauthorized access and potential harm. In this blog, I'll explore SMS verification for two-factor authentication and how it can help fortify account protection. In this blog you'll find out what SMS verification is, how it's used, what it's good for, what it's less good for, and where digital authentication is going. By the end, you'll know how to protect your data and secure your online identity.
SMS verification, or text verification, is a type of 2FA (two-factor authentication) that's important for security. It's how you prove that you are you by texting you a unique one-time verification code every time you try to log in. When you have SMS verification in your login flow, you're making sure that unauthorized people can't access your account, even if they have your password.
You need to do this because usernames and passwords are no longer as secure as they used to be when attackers can be very sophisticated. You need a way to prove that you are who you say you are. So you do this by SMS: not only do you need your login credentials to get into your account, but you also need access to your SMS phone so that, even if someone knows your password, they can't get in because they also need to know your phone number and also physically have your phone.
When you create an account or log in, you give the website or app your phone number, and then they will send you a one-time verification code. This verification code is typically a 6-digit number. You have to enter this code within a short time window to prove that you are who you say you are. This whole flow is easy to do because you can send a 6-digit number over the standard mobile telecommunications network, and as a result, SMS has become the de-facto text verification method across the internet.
Because it's so easy to use, this not only has a positive effect on the user experience of the verification process itself, but makes it feasible for high-stakes use cases. For example, banks, e-commerce, and social media use SMS verification all the time to secure communications and transactions. With SMS verification, you can receive a text nearly instantly, which means when you're doing things like making a big purchase, or proving your identity, you can feel comfortable because you're receiving an SMS that your SMS provider is guaranteeing is un-faked.
In short: SMS verification is awesome because it's secure, easy to use, and that's why I think it's here to stay for a long time.
SMS is a great example of how we can do security so much better. With 71% of cyberattacks in 2022-2023 expected to be credential-stuffing attacks, and on the rise, you need to protect your money and your personal information. Attackers are going after bigger and bigger targets. With SMS you can get the security of "something you know" because you have a password, plus "something you have" because you have your phone.
SMS is also very convenient. Most people know how to receive a text message on their phone, so it's convenient for them to use to prove that they are who they say they are. There's nothing special to install or do. It's just SMS, a technology that we've known about for years!
Of course there are some things to watch out for, and SMS verification has some limitations. Things like SIM swapping, lost devices, and messages getting intercepted on other devices can be a risk. But as long as you know how to use it safely, the benefits of SMS authentication far outweigh the risks.
SMS Verification is a simple way to significantly enhance security, all while improving the user experience. Here's how it looks in practice:
User inputs contact information: User enters their phone number during sign-up or sign-in to the app in addition to their username and password to link their account to their mobile phone.
User inputs credentials: When a user logs in, they input their username and password like usual. That action prompts the system to text a one-time verification number to the phone number they signed up with.
User receives verification number: After signing in, the user receives a 6-digit verification code via SMS to their phone. This happens in seconds, creating an ultra-smooth user experience.
User completes access: Finally, the user inputs the verification code they received back into the app or website they are trying to access, which verifies that the user is who they say they are and grants them access to their account.
By taking this extra step, the user can greatly reduce the likelihood of an unauthorized person accessing the account, in real time.
In today's digital climate, SMS verification is more important than ever. The security measure helps to protect online accounts by requiring two forms of authentication, also known as two-factor authentication (2FA): something you know (like a password) and something you have--your phone. This double layer of protection adds another hurdle for attackers to jump over, helping to reduce account takeovers.
SMS verification is a highly effective tool for keeping user data safe. Cybersecurity threats typically seek credentials, exploiting account security gaps. By adding SMS verification to the mix, organizations can virtually eliminate the majority of these attacks. Even if a fraudster has the user's password, gained via phishing or another method, they still need the user's mobile device to complete the sign-in.
This is why SMS verification is such a powerful tool. It turns unauthorized access into an uphill battle, which is what attackers don't want. SMS verification greatly increases the amount of effort required to carry out an attack, making it much less likely that an attacker will try. And when they do, the majority of the time, they won't be successful. SMS verification, when implemented as part of a broader security strategy, can truly prevent unauthorized access.
SMS verification isn't just a way to secure your accounts—it can also help your business meet privacy regulations. Many regulations require organizations to take steps to protect the sensitive user data they handle. When you show that you take security seriously and have secure authentication measures in place, you inspire trust among users and customers. That trust can be especially important in industries like finance or healthcare, where you're often handling sensitive data.
You may be required to put certain security measures, like 2FA, in place to be GDPR or HIPAA compliant. Failing to comply can result in hefty fines and damage your brand. With SMS verification, you show your stakeholders that you're protecting their privacy and their data.
People love being able to receive and send SMS on their phones, so that's another reason people love SMS verification. People are using their phones all day, so it's very convenient.
With a password, you have to remember your password, which is annoying. With a one-time password, you have to remember nothing! You just receive it in your SMS and you're good to go.
The UI/UX of SMS is simple for anyone to understand. People don't have to be tech-savvy to use it—they can see exactly what to do. So most of the time SMS verification is a very pleasant experience for the end user—it's a really nice blend of security and user-friendliness.
It signals that SMS verification is broadly used and highly effective in protecting users in many different situations. From e-banking to ecommerce, to social networks—everyone needs to protect their users against the most common security threats.
For example, in apps that feature a lot of PII, enabling SMS verification can help drastically reduce identity theft and takeovers. It also makes for easier debugging on the user and customer service side, since the SMS process is typically an easy way to regain access if a user is locked out or forgot their password.
In general, the fact that people are adding this level of security means that they're getting serious about cyber resiliency at their organization. As criminals adapt, this kind of flexible and comprehensive security framework will only continue to grow in importance.
In the world of security, SMS verification is a fundamental tool to secure your application. When a user types in their number on an app or service and clicks a button to be verified, they are interacting with a system that has been built to provide an additional level of protection from unauthorized access, guaranteeing any future messages only go to the person you want to receive them, preserving the integrity of the verification.
When the user enters their phone number and clicks to be verified, the app then uses HTTP APIs. An HTTP API is sort of like what allows the app and the service creating those verification codes to talk to each other. This API triggers the generation of a one-time password (OTP), which is a code that is valid for only a short time. This OTP is sent over the mobile network to the user's phone. We use HTTP APIs to be able to automate and optimize this system, so that code generation and delivery are an entirely seamless, secure, and positive experience for the user.
Without getting too excruciatingly specific, here's the basic idea. At a very high level, telecom networks are the middleman that helps get your SMS from point A (the sender) to point B (the receiver) reliably and relatively quickly.
When that special SMS with the OTP is sent, the telecom networks swing into action, traversing infrastructure layers to get the SMS from here to there, fast. A lot of things can influence how fast that happens -- traffic, distance, SMS provider optimization, and more.
The user gets the SMS verification code and can enter it in the app, and the app can confirm that the user has access to that particular phone number. This is part of how verifying the user's identity works. The feedback loop the app sends, in the form of errors/successes, can make a big difference in the end user's experience and in how effective your verification system is.
Once the user submits the code they received via SMS, the server needs to do one final thing: validate it. That means the server checks if the code the user entered is the same code that was generated. If it is, great! Let the user in, and you're done--you've successfully confirmed the user's identity. If it isn't, no access isn't granted, the user can either request a new code or try entering the correct one again. This validation is important because it makes for a really safe environment for your application--it's very hard for a fraudster to get in. And you can build up a lot of trust with users. You'll notice that each piece--the user's initial request, the HTTP API, the telco, and the final validation--work together to make a smooth, reliable, and secure SMS verification process.
SMS verification is a popular way to secure user accounts -- especially with two-factor authentication -- but it's not very effective and has a number of problems, which is useful for users and organizations that want to maintain secure environments.
SMS verification isn't great. It's an insecure signal: Phishing is easy, and attackers can trick users into giving them their SMS codes, which they can then use to take over the user's account. And attackers have a growing arsenal of tools like SIM swapping, where the attacker convinces a telecom provider to transfer the victim's phone number to a SIM card in their control. With the victim's phone number in hand, they can receive SMS messages, including verification codes, and potentially compromise the victim's accounts.
That's why you shouldn't rely on SMS alone for verification. It's one signal, but it's not the only signal. Companies that understand this risk are more likely to offer stronger methods of user authentication in addition to SMS, like app-based authentication or hardware tokens.
SMS verification is an additional step, not the only step.
SMS verification is also insecure because most standard SMS messages are not encrypted. Unlike secure messaging apps like WhatsApp or Signal, which encrypt messages, standard SMS are sent in plain text. This means if attackers intercept them, they can read the contents, such as any one-time passwords (OTPs). It being unencrypted means easily interceptable and modifiable, so using SMS for verification makes it even less secure.
All of these security drawbacks mean that companies really should be using a different, more secure method to send sensitive data. With options like secure push notifications and encrypted messaging apps available, there's simply no reason for companies to rely on SMS to send OTPs or any other sensitive data.
SMS verification doesn't just create security vulnerabilities, it can also create user experience issues like number formatting, which causes verifications to fail. Many users don't realize they need to include the country code when they enter their phone number, and get confused when verifications fail. Failing to include a '+', or formatting the number the wrong way for any reason can unintentionally lock users out of their account. To fix this, you'll need to guide your users through the verification process. Good UI combined with context-specific error messaging will effectively guide users and reduce formatting errors, so they can complete verification smoothly and efficiently.
The post Here are some common use cases we see for SMS verification is a great example of how not to handle it. Another is when you sign up for a new service, you'll have to do SMS verification. It's great for security, but the company website and engineers have to think about how to incorporate it well so that it's user friendly. What if someone accidentally types the code in wrong? What if they have to reset their code 5 times?
In the first example, a user doesn't know how many attempts they have left. They're worried about being locked out and needing to call a phone number. They're worried they're not going to be able to use the service. Do you think this user is going to have a great first impression of your service? Do you think this user is going to refer their friends to your service? Do you think this user is going to leave a positive review for your service?
In the second example, this is the same user as the first. The only thing that has changed is that there's more than one of them and they typed the wrong code. Maybe they're doing it on purpose because they're a hacker. Maybe they just don't understand how to use your software. Maybe they're not really typing in the wrong code -- maybe they're typing in the right code and your software is just broken. Do you think this user is going to have a great impression of your service? Do you think this user is going to refer their friends to your service? Do you think this user is going to leave a positive review for your service?
In both of these examples, the SMS verification is working as expected. The users received an OTP and they entered it. If it's not right, the user saw an error message. That's working as expected SMS verification. The SMS verification is not the problem here. The problem is that there's more than one engineer or product manager who didn't think through what happens if a user types in the code incorrectly, or what happens if a user has to reset their code many times (this is a common use case for a lot of websites and apps) -- and the end result is that there are more than one unhappy customer.
SMS verification is on its way out. No one can deny that it's less secure than people once thought. As the internet evolves, so do user authentication needs. More and more, people are abandoning the use of SMS for newer, more secure, efficient and passwordless methods for user verification because they're designed to enhance security, especially against increasingly sophisticated cyber threats. Security professionals are warning that SMS is susceptible to things like phishing and other social engineering attacks that need very little effort to execute.
The industry is changing. Major companies like Okta are taking proactive steps to encourage users to no longer use SMS for verification. Recent communications have indicated that they're sunsetting support for SMS and voice-based multi-factor verification (MFA) in favor of more secure options like FastPass and FIDO2 WebAuthn, noting that SMS lacks phishing resistance and secret codes are not secure. Attackers can bypass SMS as a communications channel via SIM swapping, so you need to trust your method of authentication and know that your users are tied to their specific devices.
New technologies have brought a lot of change to the authentication space, in particular the rise of biometrics and multi-channel authentication. With biometrics like fingerprint scanning or facial recognition, you can use a person's unique physical attributes to prove it's them, making authentication more secure. Instead of knowledge-based credentials that could be guessed or stolen, biometrics provide a more secure option and a better fit for the demands of modern security.
Multi-channel also helps make the authentication process more robust. By using different pathways—like email, phone calls, in-app notifications—organizations can layer up and add different pieces of security so that if one communication method is compromised, they still have others in place. This means organizations can confidently add layers to their authentication without adding any additional risk.
While SMS might be in someone's verification mix, the key is reliability, security, and user experience when enabling verification. While some users will find it easier to use just because of its simplicity, organizations need to recognize the significant tradeoffs. That is, they need to be able to provide an equally easy user experience for users without sacrificing the security measures that can handle what's happening today.
Organizations also need to bear in mind the broader trend of growing regulations and security standards. As new regulations are introduced, companies will need to evolve the way they authenticate in order to meet new, more stringent security requirements. By staying ahead of the curve, companies can not only safeguard their own data but continue to win the confidence of their users.
As hackers get smarter, so do the regulations for using different kinds of authentication. If an organization wishes to continue using SMS for verification, they will need to adapt to a shifting landscape that sees established standards and recommendations from bodies like NIST and the US Cyber Safety Review Board retiring the technique, and maintain compliance while providing the same level of user safety and security.
Keeping current with these new standards is a tool for organizations to improve their overall security operations and decision-making around authentication. For enterprises, this swift standard reset is also a chance to bolster their security defenses and get a step on the process, so they're prepared to confront whatever's coming around the cybersecurity corner. Ultimately that's going to look like eliminating SMS verification entirely, in favor of more secure, more sophisticated, passwordless methods of authentication.
SMS verification is a form of two-factor authentication that online platforms use to help protect your account by requiring you to prove your identity and enter a code sent to you by text message. By requiring you to have something the attacker doesn't (your phone) in addition to something you and the attacker know (your password), it's even harder for an attacker to impersonate you. Although commonly found in sectors like banking and e-commerce, SMS's susceptibility to SIM swapping and message interception means it cannot stand up to the threats we face today and in the future, which is why more and more businesses are implementing newer, more secure methods like biometric verification, and are adopting a multi-channel approach. This is all part of a broader trend of companies reducing their reliance on SMS and ensuring they're compliant with privacy regulations. By offering different ways to verify users, businesses not only stay a step ahead of the bad guys, but provide users with more reasons to trust them in a digital environment that's increasingly untrustworthy.
SMS verification, also known as text verification, is one type of two-factor authentication (2FA) that adds an extra layer of security to an account by sending a unique code to a user's phone. It matters because it's an extra layer of security in addition to the traditional password, meaning much harder for bad actors to get into accounts—particularly with all the new cyberattack techniques there are these days.
SMS verification is a great way to secure your accounts. Instead of just a password, someone needs to have a second piece of the puzzle--the person's phone, in this instance. It's really difficult for someone to get into the account if they're not supposed to with this two-step process--the something you know (the password) and something you have (the phone).
It's 4 steps: User signs up/logs in with their phone. User logs in with credentials. We text user a one-time verification code. User enters code in app to verify their phone and finish logging in.
SMS verification is open to vulnerabilities such as SIM swapping, where attackers gain control of a user's phone number, phishing attacks where users are tricked into revealing their verification codes, and the fact that messages aren't encrypted, so SMS can be intercepted. These are just a handful of the reasons why SMS is not a very strong way to secure accounts.
Businesses can enhance user experience by clearly indicating the number format they expect, allowing the user to enter their phone number in the correct country code, using context-relevant error messaging to assist users more effectively, and enabling users to reset verification attempts through alternative methods.
The future of SMS verification is passwordless authentication: more secure, more convenient methods like biometrics, multichannel (i.e. sending the verification code through different pathways) and others like FIDO, which are increasingly important as the cyber threat landscape evolves, and newer regulations prefer a more secure form of authentication.
Using SMS verification is a great way to stay compliant with data protection laws and show your users that you respect their privacy. With strong authentication like SMS verification, you can gain your users' trust and avoid fines for not being a compliant business—which is especially critical if you're in a heavily regulated industry like finance or healthcare.
People are already familiar with SMS verification, which is great, because everyone knows how to use their phone to do things, so it's a really natural and intuitive way to verify identity. That makes for an improved overall user experience and also means that people who might not be as comfortable with technology can use your product with ease, so you can reach more users in all segments.
sms verification on phone screen
SMS Check