The Prevalence and Challenges of SMS Authentication
SMS-based two-factor authentication (2FA) is widely adopted as an easy-to-implement security measure. Banks, social networks, and e-commerce sites commonly send one-time passwords to mobile phones during login.
However, SMS authentication has inherent vulnerabilities. The US National Institute of Standards and Technology (NIST) deprecated SMS-based authentication as far back as 2016. FIDO2 security keys offer an effective alternative. Security experts strongly recommend migrating to safer methods.
Specific Risks of SMS Authentication
SIM Swap Attacks
In a SIM swap attack, an attacker contacts your carrier's customer support, impersonates you, and requests a SIM card reissue. Once the new SIM is in the attacker's device, all your SMS messages - including authentication codes - are redirected to them. This enables takeover of bank accounts and social media profiles.
SIM swap attacks have been reported in Japan targeting mobile numbers starting with 090, 080, and 070. Attackers typically gather personal information through phishing or social engineering beforehand to pass identity verification.
SS7 Protocol Vulnerabilities
SS7 (Signaling System No. 7), designed in 1975 for carrier interconnection, lacks adequate security features. Exploiting its vulnerabilities allows SMS interception. While technically challenging, state-level attackers and sophisticated criminal organizations have demonstrated this capability.
Real-Time Phishing
After capturing credentials on a fake login page, attackers log into the real site in real time and prompt the victim to enter the SMS code they receive. Combined with SMS fraud (smishing), victims believe they are interacting with the legitimate service.
Malware-Based SMS Theft
Some Android malware automatically forwards received SMS messages to external servers. Installing a malicious app can result in authentication codes being sent to attackers in real time. Authenticator apps can help detect and remove such threats.
Safer Authentication Alternatives
Consider migrating to the following alternatives, listed in order of increasing security strength:
- Authenticator Apps (TOTP): Google Authenticator, Microsoft Authenticator, and Authy generate time-based one-time passwords every 30 seconds. Since codes are generated locally, they are not vulnerable to SMS interception.
- In-App Push Notifications: Approve authentication via push notification in a dedicated app. Microsoft Authenticator and Google Prompt are examples, offering one-tap approval.
- Hardware Security Keys: Physical devices like YubiKey or Google Titan Security Key provide FIDO2/WebAuthn authentication with extremely high phishing resistance.
- Passkeys: A next-generation authentication method linked to biometrics (fingerprint, face recognition) based on the FIDO2 standard. Apple, Google, and Microsoft are actively expanding support.
Migration Steps from SMS to Alternatives
Step 1: Check Compatibility
Verify which of your key services support authenticator apps or security keys. Most major services (Google, Apple, Amazon, major banks) support authenticator apps.
Step 2: Prioritize and Migrate
You do not need to switch everything at once. Start with high-priority accounts: financial institutions, email, and social media. Store backup codes in a safe place.
Step 3: Set Up a SIM Lock
As a defense against SIM swap attacks, ask your carrier to set a SIM lock PIN. This requires PIN entry when reissuing a SIM card, preventing unauthorized transfers.
Authentication Method Comparison
- SMS Authentication: Security: Low-Medium. Convenience: High. Vulnerable to SIM swap and SS7 attacks. Nearly universal support makes it easy to adopt.
- Authenticator Apps (TOTP): Security: Medium-High. Convenience: Medium. No interception risk since codes are generated locally. Backup codes needed for device loss recovery.
- Push Notification Authentication: Security: Medium-High. Convenience: High. One-tap approval is simple. Limited service support.
- Hardware Security Keys: Security: Very High. Convenience: Medium. Highest phishing resistance. Requires purchasing a physical device (around 3,000-8,000 yen).
- Passkeys: Security: Very High. Convenience: High. Linked to biometrics with strong phishing resistance. Rapidly expanding service support.
Recommendations for Service Providers
Service providers also bear responsibility for moving away from SMS authentication. More than eight years after NIST deprecated SMS-based 2FA, many services still offer it as the only option. Providers should urgently add support for authenticator apps and passkeys, especially financial and healthcare services handling sensitive data.
Practical Security Habits for Daily Life
Beyond migrating authentication methods, building daily security habits further reduces the risk of phone-number-based attacks. Regularly audit which services use your number for SMS authentication and migrate where possible. Use a password manager to efficiently track registered services.
Be vigilant about unexpected SMS messages. If you receive an authentication code you did not request, someone may be attempting unauthorized access to your account - change your password immediately and check login history. Avoid sharing your phone number casually; skip the phone number field on optional forms and register only with essential services. Reviewing your iOS and Android phone privacy settings is also an effective way to reduce exposure.
Summary - Move Beyond SMS Authentication
SMS-based two-factor authentication is "better than nothing," but it lacks sufficient defense against modern cyberattacks. Migrating to authenticator apps or hardware security keys significantly improves account security. Prioritize migration for critical services like financial institutions and email accounts.