Learn more about what makes SMS OTP so popular, how SMS OTP works, its risks, and alternatives to better protect your users.
Big-name companies like Meta, PayPal, and Amazon are rightly pushing us to better secure our apps and services with authentication methods that replace the traditional username and password authentication. Among all, SMS OTP is perhaps the most commonly adopted one since many started implementing it way before other authentication methods became popular.
However, this begs the question: Are SMS OTPs secure?
The short answer is No.
The problem with this verification method is that SMS messages have some serious security flaws, making them vulnerable to external attacks.
As cybercriminals become sophisticated, it’s becoming easier for them to infiltrate websites or mobile apps with advanced techniques, including SS7 attacks, malware attacks, and social engineering tactics to perform sim swaps.
The good news: There are many alternatives to SMS OTPs you could use that are more secure and cost-effective. This guide will discuss the dangers of SMS OTPs and provide some handy alternatives to try out.
An SMS OTP is an authentication method where a numeric or alphanumeric code to the user's phone number to verify the user’s identity. SMS OTP is used as an additional layer of security to better protect users' personal information and data.
Ideally, an app or service texts a one-time code to the user or client's phone, asking the user to enter that code into the login page within a specific amount of time. If the entered one-time code matches with that provided by the system, the system will then grant the user access to the service or resetting a password. Today, SMS OTP has become the de-facto standard for verifying the user’s identity since users do not have to install any apps or possess other hardware aside from their phones.
Even though SMS OTP is one of the most commonly implemented authentication methods, verifying a user's identity via SMS OTP isn’t as secure as we think. Aside from security, there are other reasons for you to consider other authentication methods. Here are the common security issues of OTP verification and why you should replace it.
SIM swapping can easily give hackers access to users' accounts. A hacker can call the mobile service provider of the victim, pretend to lose the SIM card, and activate a new SIM with the number.
The hacker will then breach any 2FA that uses the acquired phone number as a second authentication method. Because most online accounts require an SMS verification, if the hacker can intercept that SMS, they can change the user’s account password, access sensitive user data, and even steal money from the bank account if the target account is an online banking platform.
SIM swap fraud is increasingly becoming popular year after year. In 2021, for instance, cybercriminals stole a staggering $68 million, according to FBI data.
Signalling System No.7, commonly known as SS7, is fundamental to al mobile communications. The SS7 is simply a standard that facilitates SMS, calls, number translation, and other telephony services like call forwarding.
So, how does it subject SMS OTP to security risks?
The protocol has a flawed design that hackers can exploit to intercept calls and SMSs, including one-time passwords. Hackers can exploit security vulnerabilities in the SS7 protocol to compromise and intercept OTPs on a cellular network.
Even though SS7 security issues usually happen to older telecom networks, SMS senders, in this case the app owners, can't control which telecom network the users are in, making it a risk factor for hackers to exploit.
When it comes to SMS security, the user is the weakest link in the security chain.
Hackers have upped their phishing (a form of social engineering) game and can use their skills to obtain OTPs from unsuspecting individuals. Studies show that SMS-based scams, also known as “Smishing attacks,” soared by 328% in 2020 alone.
Hackers are increasingly using smishing to trick unsuspecting users into revealing the OTP codes. businesses can eradicate these attacks by educating users on the importance of securing these codes. Alternatively, they could adopt a verification method that doesn’t leave users with anything that hackers can steal.
Verification via SMS may be an easier way for users but very expensive for businesses. Companies pay for every SMS message delivered to their users, which can result in substantial monthly bills.
Furthermore, many SMS OTPs never get delivered even though businesses pay for every message sent out. Price varies significantly across providers and is also determined by the volume of SMS messages being set out. Worst of all, the cost of attack resulting from weak SMS authentication can be catastrophic to a business.
SMS OTPs are ubiquitous and allow users to log into online applications and services without memorizing a bunch of usernames and passwords. In fact, more than 60% of users worldwide use SMS OTP to log in to their favorite services.
However, SMS verification can give users a gruesome experience as deliverability is neither guaranteed nor stable when it comes to SMS OTP. Sometimes it gets delivered late and users cannot log in until they eventually get the SMS OTP. Even worse, SMS OTP might not even get delivered, resulting in poor user experience that can eventually drive the users away.
Luckily, there are secure and reliable SMS OTP alternatives you could use to avoid all the security and other issues associated with OTPs. These include:
WhatsApp is currently the most popular messaging app with approximately 2 billion active users as of 2022. Login by WhatsApp, or WhatsApp OTP, is more secure than SMS OTP since WhatsApp implements end-to-end encryption, ensuring that only the sender and the recipient can read the messages. This is an incredibly secure way to reduce fraud and trojan attacks.
Moreover, WhatsApp OTP is significantly cheaper than SMS OTP, allows you to conduct drip campaigns that are much more effective than automated campaigns done through email or SMS, and also helps you increase app conversion rate since WhatsApp messages have higher open and reply rates.
Social login is now one of the most common authentication methods since it provides the convenience that is paramount to users.
Many people are increasingly using social logins as an alternative to SMS OTP because users can easily sign up for or log into websites or apps using existing credentials from third-party identity providers like Google, Facebook, Twitter, etc. The benefits of social login are many. It’s convenient, cost-effective, and increases user engagement.
Recently, three tech giants, namely Apple, Microsoft and Google, announced that they would jointly commit to the FIDO (Fast ID Online) Alliance standards using mobile devices for authentication in order to replace passwords, which are inherently vulnerable to hacking. What this means is that smartphones will server as secure passkey stores. Users can easily access the passkey stored by presenting something that they are (biometrics), something that they know (a PIN or pattern), and something they possess (smartphone) within a single action. This is not only more secure but also much more convenient for users as they can easily log into any app or websites by confirming a prompt on their phones.
OTPs are essential to verify logins and transactions.
However, they suffer from major drawbacks, including friction in user experience and risks of SIM swaps and social engineering scams.
Authgear is a comprehensive Customer Identity and Access Management solution that provides authentication and user management features that any apps need. By integrating your apps with Authgear, you can implement a variety of authentication methods, including WhatsApp OTP, social login, biometric authentication, and more, to avoid all the problems associated with SMS OTPs, enjoy significant cost savings, increase app conversion rate, and increase marketing ROI.
Learn more about our WhatsApp OTP here, or get in touch with us today to find out how our services can help your business grow.
