Cross Identity

Official Blog

Best Practices for Multi Factor Authentication (MFA)

multi-factor authentication

In this digital world, who isn’t aware of the OTP login or also known as the SMS Authentication method? A simple five to ten-digit passcode sent on your mobiles can grant you secure access to critical systems within seconds. The process is convenient and relatively risk-free compared to password authentication.

SMS Authentication is the most opted for authentication method to form a Two-Factor or Multi-Factor Authentication because of its significant benefits.

Advantage of SMS Authentication

Unique to each user: The OTP numbers are unique to each user. Each time user requests for an OTP, he gets a new, different OTP. It is a string of numbers, and each set of numbers is different for every user; it is almost impossible to guess an OTP.

OTP is never lost: Generally, the OTP delivery rate is close to 100%. The user always receives the passcode on his device within seconds of request directly on the device. Unlike passwords, which users generally find difficult to remember or lose it if they note it down.

Highly secure: The main benefit of OTP is that it expires quickly; typically, within 30 seconds, and this is too short of a time for an attacker to know your OTP and access the system. This feature makes SMS Authentication hack-proof and highly secure.

Convenient: You can authenticate your identity via SMS Authentication on-the-go as the passcode is sent directly to your mobile devices. It does not have long Turn Around Time like password reset, making this process very convenient and user-friendly.

However, despite the benefits, the security experts from industry have pointed out certain drawbacks of SMS Authentication. It is said that attackers may access your OTP in the following ways-

Sim Swap: The attacker first avails your phone number and your personal information. Then, they contact your service provider and pose as “you” with all your details, they will request for blocking your sim, or upgradation of your existing SIM card to a new phone. Now, all your OTPs, SMS alerts will be sent on their device.

Abusing SS7 Protocol: SS7 or Signaling System 7 is an international communication standard that enables data-roaming on your phones and establishes connectivity while you travel. However, attackers have abused the SS7 protocols by intercepting and redirecting the target’s SMS to another device.

Exploiting a leaky data base: A security lapse in a server that belonged to communications company exposed a database containing over 26 million text messages that included OTP, SMS alerts, etc.; this is a rather easy way for an attacker to avail your OTP that grants access to essential systems.

Nevertheless, these drawbacks will not override the benefits of SMS Authentication if simple, yet vigilant steps are taken while opting for SMS Authentication. We have listed down some of them for you.

SMS Authentication security best practices

Keep your OTP confidential: A malicious attacker may pose as personnel from your phone company and request for your OTP, it is best not to entertain such requests. A lot of services give a disclaimer of not sharing the OTP with friends, colleagues, or to the service provider himself.

Keep your device with yourself: Make sure when you request for an OTP, your device is with you. Do not give your device in someone else’s possession until you have punched in the OTP and accessed the system.

Don’t send multiple requests for OTP: Sending multiple requests for your OTP is not a safe practice. Try and enter the right OTP in one go.

Don’t write down your OTP: Save yourself from the grave mistake! Writing down OTPs means broadening the scope of the passcode being stolen very easily. Memorize the number if you must but, writing it down will defy the whole purpose of secure authentication.

We are already aware of the risks attached to password authentication. Attackers can try multiple ways- hacking, credential stuffing, password spraying, etc. to decipher a password, and most times, they succeed.

However, there are very slim chances of an OTP being stolen, and if you are vigilant enough, SMS Authentication can be a highly secure method of verifying your identity. So, SMS Authentication does make for good choice to form a robust 2FA or MFA mechanism.

Leave a comment