New Guidelines to SMS Authentication

Tagged in: ,

close-up woman laptop mobile phone finger button enter desk

With a seemingly ever-increasing amount of data breaches making headlines, companies are trying to be more vigilant than ever about making sure your accounts are secure. You’ve likely experienced some of these efforts firsthand. For example, one of the most common practices is 2-factor authentication. This is where a company will use two completely separate means of verifying that you are actually you and not someone attempting to impersonate you.

While there are various options as far as 2-factor authentication goes, one of the most common involves sending a text message to your phone that includes a one-time code that will expire within a few minutes. The theory here is that only you have the phone in your possession. Thus, only you will receive that code. Thus, if the code is entered via a form in a website, you must be exactly who you say you are and not a criminal. If a criminal doesn’t have your phone, it’s impossible to pretend to be you because the text message will never land in the criminal’s hands!

This method of verifying your identity has been bulletproof up until recently. Now, some of the more sophisticated criminals, and there are a few of them out there in this world, have a workaround for certain types of phone numbers. These criminals can make it look like as though they have your phone if — and it is a big IF — your number is a VoIP-type of number such as a Skype, Google Voice, or Vonage phone number. If this is the case, an SMS text containing a 2-factor authentication code could be intercepted by the criminal and your account compromised.

The National Institute of Standards and Technology, also known as NIST, which is part of the Department of Commerce, is finalizing its Digital Authentication Guideline. One of the biggest changes NIST is suggesting attempts to patch this potential vulnerability whereby criminals could make it look like they have your phone. Its recommendation is to use 2-factor authentication with SMS notifications only when you know that the delivery phone number has been verified to be associated with an actual mobile network like Verizon, AT&T, or Sprint and not with a VoIP service such as Google Voice, Skype, RingCentral, Vonage, or Ooma.

This proposed change is a huge deal as many big companies such as Amazon, PayPal and Google have 2-factor authentication with SMS built into all sorts of routine interactions ranging from trial signups to password resets.

So, how can you verify a mobile phone number’s network status? Is it a plain old cellular phone number or is it VoIP based using a service such as Google Voice? Service Objects’ Phone Exchange 2 real-time API is the answer. Our phone verification API can tell you exactly if a mobile phone number is a VoIP-type line or a good ‘ol cellular number that can be trusted for 2-factor authentication.

Simply run the number through our service before sending an SMS authentication code. Our real-time phone verification API allows you to meet NIST’s Digital Authentication guidelines without having to sacrifice your investment in SMS authentication. If a phone number is validated as a regular cellular number, you have the green light to send verification codes to it via SMS. If it appears to be VoIP related, then you have the information you need to choose an alternate authentication factor.

The NIST Digital Authentication Guideline isn’t final yet, but it’s not too early to implement measures, such as mobile phone verification, to make sure your accounts are secure.