Is SMS OTP Reliable? Its Vulnerabilities and Alternatives
Learn more about what makes SMS OTP so popular, how SMS OTP works, its risks, and alternatives to better protect your users.
July 27, 2023
Big-name companies like Meta, PayPal, and Amazon are rightly pushing us to better secure our apps and services with authentication methods that replace the traditional username and password authentication. Among all, SMS OTP is perhaps the most commonly adopted one since many started implementing it way before other authentication methods became popular.
However, this begs the question: Are SMS OTPs secure?
The short answer is No.
The problem with this verification method is that SMS messages have some serious security flaws, making them vulnerable to external attacks.
As cybercriminals become sophisticated, it’s becoming easier for them to infiltrate websites or mobile apps with advanced techniques, including SS7 attacks, malware attacks, and social engineering tactics to perform sim swaps.
The good news: There are many alternatives to SMS OTPs you could use that are more secure and cost-effective. This guide will discuss the dangers of SMS OTPs and provide some handy alternatives to try out.
What Is SMS OTP?
An SMS OTP is an authentication method where a numeric or alphanumeric code is sent to a phone number to verify the user’s identity. The recipient then uses this code as an additional layer of security to log in to a website or app.
Ideally, an app or service you’re using texts a one-time code to your phone to verify your identity in order to access a service or reset a password. Today, SMS OTP has become the de-facto standard for verifying the user’s identity.
Why Is SMS OTP Popular?
With the rise of cyberattacks and data breaches, maintaining and improving data security is no longer an afterthought and implementing two-factor authentication (2FA) adds an extra layer of protection against them. According to Market Research Future, the two-factor authentication market size is expected to grow from USD 14.65 billion in 2022 to USD 44.67 billion by 2030 and it’s said that OTP accounts for about 56-60% of the market value.
The reasons for the popularity of SMS OTP are that it’s relatively easier for businesses to implement it and SMS OTP leverages both the ubiquity of cell phones and consumers’ familiarity with SMS. As long as users have receptions, they can easily get the OTP and verify their identity. However, despite its widespread usage, businesses should be cautious when relying solely on SMS OTP for 2FA.
Why Should You Abandon SMS OTP?
Verifying a user's identity via SMS OTP isn’t as secure as you think. Aside from security, there are other reasons for you to consider other authentication methods. Here are the common security issues of SMS OTP verification and why you should ditch it.
SIM Swap Security Risk
SIM swapping can give hackers access to all your online accounts. A hacker can call your mobile service provider, pretend to be a victim, and activate a new SIM with your number.
The hacker will then breach any 2FA that uses your phone number as a second authentication method. Because most online accounts require an SMS verification, if the hacker can intercept that SMS, they can change the user’s account password, access sensitive user data, and even steal your money if the target account is an online banking platform.
SIM swap fraud is increasingly becoming popular year after year. In 2021, for instance, cybercriminals stole a staggering $68 million, according to FBI data.
SS7 Technical Flaw
Signaling System No.7, commonly known as SS7, is fundamental to all mobile communications. The SS7 is simply a standard that facilitates SMS, calls, number translation, and other telephony services like call forwarding.
So, how does it subject SMS to security risks?
The protocol has a flawed design that hackers can exploit to intercept calls and SMSs, including one-time passwords. Hackers can exploit security vulnerabilities in the SS7 protocol to compromise and intercept OTPs on a cellular network.
And the scary part? Doing so isn’t hard!
All a hacker needs to intercept your SMS is a computer running Linux and the SS7 SDK—which can easily be downloaded online.
Social Engineering Risks
When it comes to SMS security, the user is the weakest link in the security chain.
Hackers have upped their phishing (a form of social engineering) game and can use their skills to obtain OTPs from unsuspecting individuals. Studies show that SMS-based scams, also known as “Smishing attacks,” soared by 328% in 2020 alone.
Hackers are increasingly using smishing to trick unsuspecting users into revealing the OTP codes. Organizations can eradicate these attacks by educating users on the importance of securing these codes. Alternatively, they could adopt a verification method that doesn’t leave users with anything that hackers can steal.
Sending OTP Through SMS Can Be Quite Expensive
SMS authentication may be an easier authentication method for users but very expensive for organizations. Companies pay for every SMS message delivered to their users, which can result in substantial monthly bills.
Furthermore, many SMS OTPs never get delivered even though you pay for every message sent out. Price varies significantly across providers and is also determined by the volume of SMS messages being set out. Worst of all, the cost of attack resulting from weak SMS authentication can be catastrophic to an organization.
Friction in User Experience
SMS OTPs are user-friendly and make it easier for users to log into online applications and services. In fact, more than 60% of users worldwide use SMS OTP to log in to their favorite services.
However, SMS verification can give users a gruesome experience if the OTPs aren’t delivered. Suppose you wanted to access online banking to pay for services, but the bank’s system fails to or takes minutes to deliver an OTP. This could present you as untrustworthy and even make you lose a business opportunity in the worst-case scenario.
Alternatives to SMS OTP
Luckily, there are secure and reliable SMS OTP alternatives you could use to avoid all the security and other issues associated with OTPs. These include:
WhatsApp is currently the most popular messaging app with approximately 2 billion active users as of 2022. Login by WhatsApp, or WhatsApp OTP, is more secure than SMS OTP since WhatsApp implements end-to-end encryption, ensuring that only the sender and the recipient can read the messages. This is an incredibly secure way to reduce fraud and trojan attacks.
Moreover, WhatsApp OTP is significantly cheaper than SMS OTP, allows you to conduct drip campaigns that are much more effective than automated campaigns done through email or SMS, and also helps you increase app conversion rate since WhatsApp messages have higher open and reply rates.
Businesses are increasingly using social logins as an alternative to SMS OTP.
For an end-user, convenience is everything and that’s what social login is all about! With social logins, users can sign up for many websites or applications without having to input their credentials repeatedly.
The login credentials usually come from a social media platform like Facebook or Twitter and these platforms are usually tech giants who make data security one of their top priorities. The benefits of social login are many. It’s convenient, cost-effective, and increases user engagement. Moreover, you can get some user data from these social platforms when they sign up via social login.
Recently, three tech giants, namely Apple, Microsoft and Google, announced that they would jointly commit to the FIDO (Fast ID Online) Alliance standards using mobile devices for authentication in order to replace passwords, which are inherently vulnerable to hacking. What this means is that smartphones will server as secure passkey stores. Users can easily access the passkey stored by presenting something that they are (biometrics), something that they know (a PIN or pattern), and something they possess (smartphone) within a single action. This is not only more secure but also much more convenient for users as they can easily log into any app or websites by confirming a prompt on their phones.
Implement WhatsApp OTP and Other Secure Authentication Methods with Authgear
SMS OTP are one of the most common ways to verify logins and transactions.
However, they suffer from major drawbacks, including friction in user experience and risks of sim swaps and social engineering scams.
By integrating your apps with Authgear, you can implement a variety of authentication methods, including WhatsApp OTP, social login, biometric authentication, and more, to avoid all the problems associated with SMS OTPs, enjoy significant cost savings, increase app conversion rate, and increase marketing ROI.
Contact us to learn more about Authgear to find out how our services can not only protect your users but also help your business grow.