Passwords have been used with computing systems since 1961, when the first password login was implemented. However, the increased number of security attacks had led to the need for two-factor authentication, a service known to have been first introduced in 1995 when AT&T’s patent was issued.
Today, balancing security, user experience, and budgets is one of the biggest challenges for product creators. Enhanced account security is not enough in developing apps used by millions of users. This article aims to help product managers on the quest to offer the best user journeys coupled with a budget-friendly authentication. Our SMS2FA alternative: TypingDNA Verify 2FA.
- SMS authentication service
- SMS 2FA alternatives
- What makes a great two-factor authentication (2FA)?
SMS authentication service
What is SMS two-factor authentication service?
SMS two-factor authentication service is usually part of two-factor authentication(2FA) or a multi-factor authentication solution (MFA) to verify identity and grant access to accounts or confirm payments by sending a code via short message service(SMS).
A 2FA or MFA solution is designed around various factors categorized as follows:
- Possession based-factors: like owning a phone or a token generator device,
- Inherence factors: like typing biometrics, retina scan or fingerprint,
- Knowledge-based factors: like passwords or secrets and PINS.
SMS two-factor authentication is recognized as a possession-based factor, where the user’s identity is verified based on something they own (i.e., a mobile phone). Increased security incidents have enforced the need for additional security, with account takeovers affecting more than 22% of online users.
SMS two-factor authentication (2FA) is an additional security method that uses SMS one-time passwords (OTP) or codes that are delivered via text message. When trying to log into their accounts, users are prompted to enter an OTP delivered via SMS (short message service or a text message) in specially designed pages or fields to verify a transaction or login.
SMS authentication service as a two-factor authentication
The usual login process combines an identifier or the username and a password, which comprise only one authentication factor. On the other hand, Two-factor Authentication (2FA) systems are based on a first factor, typically a knowledge-based factor like a password, and a second method which can be either a possession factor like SMS OTP or email OTP or an inherently based factor like typing biometrics or fingerprint.
SMS authentication service as a two-factor authentication system has grown in popularity once a large number of users started adopting the phone devices. Another key contributor to the widespread SMS authentication service part of two-factor authentication has been technology giants like Google, Twitter, Facebook, and others. They have primarily introduced SMS two-factor authentication for the user’s account protection.
SMS authentication code
One-time passwords (OTP), also known as one-time PINs, one-time authorization codes (OTAC), or dynamic passwords, are passwords valid for only one login session or transaction on a computer system or other digital device. An SMS authentication code is used when sending messages as part of two-factor authentication (2FA) or multi-factor authentication (MFA). With SMS authentication codes, users can verify their identity or validate transactions.
The particularities of SMS authentication codes are related to generation methods of the OTP’s. The SMS authentication code algorithms vary as they can be based on time-synchronization between the authentication server and the client providing the password, thus being valid only for a short period. SMS OTP codes can also use a mathematical algorithm to be generated and are part of a chain and must be used in a predefined order. Another code-generating algorithm would create a new password based on a challenge like a random number chosen by the authentication server or transaction details.
SMS authentication online
SMS two-factor authentication can also be used through online services, and no actual phone number is required. Still, users must be advised that these codes will not be private or secure and can be seen by anyone. Online SMS authentications services provide a number that users can use to receive SMS codes. For unimportant one-time verifications, using a phone number that is not tied to personal information might prove helpful given the latest security flaws associated with SMS OTP.
Free SMS authentication
Several online services now offer free SMS authentication used to bypass the need for service-linked phone numbers. Instead, these temporary phone numbers can serve as a medium to receive codes in various geographies like the USA, UK, and other countries.
When choosing the factors of the 2FA system you are creating, there are several 2FA options. Ideally, they are suitable for your users. For example, SMS OTP codes can be a very convenient 2FA option when assessing the adoption. More than 60% of users worldwide use SMS 2FA to log into their favorite services.
From a security standpoint, SMS 2FA codes are not the first option to regard; still, the sensitivity of the data your users gain access to might be an essential factor to consider. Specifically, users could easily use SMS 2FA to access their favorite websites or services.
Hardware-based authentication services are a good option for digital natives but are not so popular with baby boomers. Given that their adoption is still low among the elderly population, such a method might not suit applications or services that include a diversified user base. A qualitative study found that FIDO certified USB password keys implementation was a poor match for older adults. It did not cater to their existing technology, and it failed to address their needs or motivate the use from a security perspective.
Another 2FA option is email OTP, which proves to be a more budget-friendly alternative. Still, the user experience might be hindered even more, given that access to email apps must exist at all times during the login process.
2FA enabled vs. enforced
Requiring a two-step verification option is now the standard. The difference between enabling 2FA and enforcing 2FA relies on the conditional access policies that might affect your users. When enabling 2FA, users will perform two-step verification every time they sign in. After their enrollment, users will also have to register the next time they sign in but are not conditioned by this step.
With 2FA enforcement, you will allow access for your users only after completing a registration process that is not optional. In this case, users will only be able to log in after completing the mandatory two-step verification. Some services offer the possibility to create conditional access policies that apply to groups and individual users.
2FA email vs. SMS
2FA email comes with a series of benefits for the users. The first one is the familiar data requirement; most users already use email addresses to sign up for a service or reset passwords. The ease of the onboarding process comes next: since users don’t need to download a specific app or go through the configuration of a setup, they just have to access their email. Another advantage is the privacy concern; users don’t associate other personally identifiable information like their phone number limiting the data they transfer to a service provider.
Still, 2FA with email has its flaws. Email addresses are also used to change passwords, so compromising the first factor in a 2FA email setup will also compromise the second factor. Once attackers gain access to your email inbox, they can take over the entire account and your email OTPs.
SMS 2FA proves to be a more secure authentication setup than email-based 2FA. Also, it can add protection to any account, including emails. Research from Google shows that adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during their investigation.
Google will soon switch on two-factor authentication by default
Google is activating two-factor authentication on Google accounts by default. This marks a new age where 2FA will definitely be implemented on an even larger scale than before. Users that have already set up two-factor authentication or 2-step Verification for their Google accounts will be asked to confirm the right person is signing in to an account by tapping a prompt on their phone, sending an Android prompt, or through the Smart Lock. Of course, passwords are still not obsolete since Google offers a secure password manager for Chrome, Android, and iOS that can autofill login details on sites and apps.
SMS 2FA alternatives
The digital world needs better SMS 2FA alternatives, especially since recently shown vulnerabilities in various contexts are on the rise. SMS 2FA is insecure due to the following vulnerabilities:
SIM swapping (bad actors contact a phone company and (using the personal information they have collected about a target, like an SSN) request that a number be transferred to another phone),
SIM hacking (malicious actors can spoof cell phone tower signals and SS7 systems and access information contained in private messages),
Synced devices (synced devices allow access from multiple smartphones, laptops, tablets, and wearables)
Social engineering attacks (attempts to convince targets to unknowingly hand over their personal information and passwords—including SMS codes).
Better alternatives to 2FA SMS
In the past years, account security alternatives have diversified. For example, the alternatives to SMS 2FA include biometrics-based authentication factors like typing biometrics, 2FA apps, or hardware-based 2FA.
Typing biometrics as part of a 2FA setup
Typing biometrics is an emerging technology facilitated by the progress in AI and computational power. As part of an authentication process with typing biometrics, the initial enrollment captures the typing pattern created based on how individuals type on their keyboards and attribute it to the user. Every time a new authentication is made, the stored hashed pattern is verified against the initial typing pattern, and if the match is successful, the user is logged in. Combined with other factors, a typing biometrics-based 2FA implementation is the new norm in avoiding costly tokens, long login times, or a cumbersome user experience.
Typically, authenticator apps must be installed on a smart device. They will generate a passcode that can be used for logging in, transaction confirmation, or act as a master key. Besides the obvious downside that users will need to install new software on their devices, another disadvantage is that for every account that the user owns, further action needs to be set up separately, adding friction to the authentication process. Keep in mind that this technology is not only offering a cumbersome user experience, but its adoption rates are at only 36%.
Unfortunately, hardware 2FA solutions don’t see a high adoption rate. One main reason is the costs associated with the hardware devices, ranging from $15 to upwards of $50. The accessibility of a physical security key (or U2F) is also hindered by the USB connection that that individual must have. An NFC version is available for smartphones, but losing such a device will cause a tedious re-authentication for all accounts with a new key. Although most hardware 2FA devices are FIDO-certified and guarantee higher account security, drawbacks, such a price or bad user experience cannot be disregarded.
Is SMS 2FA worse than no 2FA?
No. According to any security audit, SMS 2FA is still better than using just one factor like pairing email address and password. Breaching a password through brute force attacks is even easier now with increased computing powers. One example is credential stuffing, a form of cyberattack in which a list of credentials obtained from a data spill becomes available for sale or free download. Adding a second factor like SMS 2FA drastically increases account security, making attackers work harder to access your data.
What makes a great two-factor authentication (2FA)?
A great alternative to SMS two-factor authentication comes, as shown above, in many products and methods. Still, product managers will want to choose the 2FA option that is:
- Focused on user experience
- Budget-friendly, especially for services with high-frequency authentications needs
- Fast and easy to implement
User experience and 2FA
At TypingDNA, we genuinely believe user experience is an integral part of any great two-factor authentication setup. Although SMS 2FA has proven to be the go-to authentication for the past decades, forward-thinking product managers will assess more user-friendly authentication solutions keeping user experience at the core of their products. As shown by the biggest disruptors in almost any industry ranging from Airbnb to Google or services like Uber, stellar user journeys come first.
Customers have high expectations towards their digital product journeys expecting fast services and flawless processes while solving their needs. Any good product will start with simplified and secure authentication methods. The choice for the best second authentication factor must respond to your user base and their needs being user-friendly and easy to adopt.
Why TypingDNA Verify 2FA is a UX-first authentication solution
In a nutshell, TypingDNA Verify 2FA uses our proprietary typing biometrics authentication technology to verify a user’s identity. Users type four words specifically chosen by our AI engine to enable higher matching accuracy on much shorter texts. The four words are of high complexity regarding the number of different characters, the way they are dispersed throughout the keyboard layout, the vertical and horizontal travel, so we can understand the unique typing pattern of a user. After typing the four words, the typing patterns are matched to authenticate users in your desired application. Users don’t have to switch devices or input specific OTP sent via email or SMS, making authentication seamless. TypingDNA Verify 2FA was created to use the classic authentication methods such as SMS or email OTP only as fallback methods in a root of trust system.
After addressing the need for a better user experience, product managers will also want to adopt authentication methods to meet their budgets.
SMS 2FA is a scalable solution that can respond to an increased number of users. But with high authentication volumes, the associated costs will also rise. Sending an OTP code via SMS is indeed the norm. But, what if you could reduce the SMS OTP costs to as low as 10% of what your company usually pays? TypingDNA Verify 2FA was developed as an alternative to classic 2FA, focusing not only on UX but also budget.
By using TypingDNA Verify 2FA, companies can drastically reduce their SMS 2FA costs. Particularly, an extreme cost-cut example includes companies with an increased number of authentications for users in China. Based on the market size, a cost reduction of more than 95% would occur when using TypingDNA Verify 2FA as a second factor and sending 2FA SMS only as a root of trust.
Fast 2FA integration in under 10 minutes
Yes, it’s possible to have your 2FA set up in under ten minutes, even without an existing IAM provider. Just follow the steps in the video tutorial below:
The first companies to sign up for TypingDNA Verify 2FA can use the service for free for the first year or up to 100,000 authentications.