Building SMS Authentication is Challenging
Phones are ubiquitous; the largest segment of the world’s computing base. However, despite significant market adoption of a few operating systems, interoperable standards for messaging are rare, and often segmented.
SMS (Short Message Service) messaging¹, despite a number of material challenges, has broad adoption, international regulations, and support across platforms.
This post details the use of SMS as an authentication mechanism.
- Easy for Users, Hard for Attackers
- Works globally, across all cellular carriers, even in lossy service environments.
- Enrollment, opting out, and authentication are beautiful, simple processes.
- Confidence the user has access to their phone, and the phone number is valid.
- When users change their phone number, they don’t stop using the service; they can migrate to a new phone number smoothly.
- When an attacker pretends to be a user, they are prevented from taking over the account.
- A user should not be easily duped into helping their attackers.
Authentication is a two-way street
SMS delivery is not guaranteed, and many implementations provide no mechanism through which a sender can determine whether an SMS message has been delivered.
💡 Allow users to request a new code as part of the product. Use a different code for each message.
Users can request to stop receiving SMS from a particular sender, often by replying with ‘STOP’. Users will no longer receive messages.
In the United States, FCC affirms text messages are covered under the “Telephone Consumer Protection Act”, and users have a variety of rights, including to Opt-Out.
💡 Notify users when their phone number is undeliverable: either in-app, or via email
SMS standards make spoofing phone numbers difficult. However, no easy way exists for consumers to authenticate numbers or associate them with businesses. Messages appear with only a number to identify them.
Users are habituated to ignore sender ids, or react with suspicion when numbers are changed.
💡 Include information about the sender in your message “Your ACME.co Code: 123–123”, or use Domain-Bound Codes
Some sites trick users into entering authenticator codes for other sites. A common ploy asks for a user’s phone number, and prompts the user to enter the code they receive. The attacker simply forwards the collected code to the target, and successfully poses as the end user.
- User Logs in to Fraud Site. Provides User phone number
- Fraud Site forwards request to Real Site
- Real Site sends User a SMS challenge. However, User thinks it comes from the Fraud Site
- User enters correct SMS onto Fraud Site
- Fraud Site / Attacker uses correct SMS to log into legitimate site
- Attacker now has legitimate session on real site
💡 Include information about the sender in your message
Your ACME.co Code: 123–123 or use Domain-Bound Codes
💡 Monitor for automations and headless browsers attempting your site’s login flow
Users, particularly those outside of the United States, change their phone numbers often, giving rise to the popularity of messaging applications.
💡 Facilitate self-service recovery of SMS logins through alternative channels
SIM-swapping attacks are social engineered takeovers of a user’s telecom contract. Calling customer support and transferring phone numbers between phones is common practice for consumers, and is exploited by attackers to capture SMS messages.
Users can, though rarely, defend themselves, and unfortunately many users remain susceptible to these risks.
💡 Many SMS vendors provide carrier information in their API responses. If the carrier changes for a given number, send a confirmation email.
The emerging standard for SMS security is to use Domain-Bound Codes for authenticating and protecting SMS messages.
Messages are formatted to describe their sender, and allow automated tools to read those messages to auto-fill or protect users.
Major mobile operating systems support or plan to support domain-bound codes.
123-456 is your ACME.co code.
SMS login flows can be complex to build and manage, but a few considerations will make the experience as smooth as possible for your users.
Allow users to copy-paste into your SMS input box
- Diverse interfaces exist for mobile devices, and users may not type in codes using a keyboard. Allowing paste makes your service more accessible, and a smoother end user experience.
Using numeric codes? Label your input box as `numeric`
- Phone soft keyboards use information about the input box to render the most usable keyboard for the use case. Showing a numeric keypad helps make entering codes as easy as possible
Supporting iOS users? Tag login boxes with
- Operating systems such as iOS make it easy to fill in one time codes from SMS messages. Apple uses a text content tag of
textContentType=.oneTimeCodeto allow users to auto-fill new SMS codes into the page.
Building with Google Play? Consider auto-verification with the SMS Retriever API
- Android’s Google Play Services offer a collection of advanced SMS tools for verification of SMS codes, including supporting background verification.
- With the SMS Retriever API, It is possible to build almost silent user and device verification, however, fallback support for traditional SMS is required, and informing users about what is occurring is critical for building user trust and comfort.
Building Web Applications? Use `
- Many browsers facilitate SMS message autofill through input code tags for autofill, such as
autocomplete="one-time-code". This can provide smooth user experiences cross-platform, and allow your product to take advantage of built-in browser functionality.
With challenges ranging from usability, deliverability, internationalization, fraud, bots, social engineering, and multi-device support, the simple user experience of SMS login comes with complexity for developers.
Magic makes authentication easy for you and your users. Supporting a broad array of use-cases with a beautifully designed developer experience, getting started with SMS login is easier than ever.
Join Magic’s Discord: https://discord.com/invite/magiclabs
Follow Magic on Twitter: https://twitter.com/magic_labs
¹Note: the terms ‘SMS’, ‘message’, and ‘text’ are used colloquially to refer to ‘Short Message Service messages’