James Thew - Fotolia

Why are fewer companies using SMS 2FA for authentication?

Instead of SMS two-factor authentication, some companies are switching to 2FA through messaging apps and social media platforms. Learn what's behind this authentication trend.

What is behind the trend of enterprises and developers moving away from SMS 2FA and toward authentication through social media platforms?

In 2019, Facebook announced its Account Kit for iOS and Android would integrate authentication with the encrypted messaging app WhatsApp. Developers of the mobile Facebook app are now able to send verification codes to WhatsApp instead of receiving Short Message Service messages when they log in with a phone number.

Account Kit is Facebook's tool for developers to enable them to log in and authenticate users without the need to send two-factor authentication (2FA) or one-time password codes. Account Kit will facilitate sending these messages when needed, but it offers the ability to authenticate via the user's Facebook account and now also through WhatsApp.

Two-factor authentication is a common method for verifying the identity of users. It authenticates users based on two conditions: something they know and something they have. If a user logs in with a username and password, an SMS message or an email with a random code will be sent for the user to input into the service prior to logging in. The username and password are known to the user, and the random code is sent to a device the user owns.

SMS 2FA is challenging for four reasons:

  1. SMS 2FA is expensive to operate at scale since messages sometimes incur payment.
  2. It is cumbersome for users who often need to type the validation code manually into an app or on a separate device.
  3. Vulnerabilities around SMS interception have cropped up in recent years, lowering its effectiveness.
  4. SMS doesn't have 100% deliverability.

Facebook, along with WhatsApp, accounts for over a billion users, and now WhatsApp offers 2FA through its service instead of via SMS.

Google is doing the same internally by enabling users to log in to the Google account for many of its services with additional verification done by pinging the user's Android device asking them to approve access -- no need for code entry.

Two-factor authentication will likely not be limited to SMS and carrier platforms only going forward. It could follow the trend of omnichannel -- in which contact centers are expected to communicate and converse with their clients over any channel, whether by phone, SMS or social networks.

Developers should ensure users can connect and authenticate with their service through other accounts -- be it WhatsApp, Facebook, Google or the carrier's SMS and phone service -- accessed on their device, rather than just through SMS.

Enterprises should consider adopting third-party verification services that can aggregate different channels for authentication and offer them in parallel with fallback mechanisms with user preferences.

Next Steps

SMS pumping attacks and how to mitigate them

Dig Deeper on Identity and access management