In today’s mobile world, our users are demanding access to information from anywhere, from any device at any time. And one more relatively new factor: on any app they want. Security professionals should agree that a username and password combination is not serious security. As such, companies have been implementing Multi-Factor Access (MFA) as a best practice to securely provide the access our users are demanding. When you consider MFA, your risk assessment must include items such as cost, support, operations and security. However, you should also include end-user convenience and ease of use as part of your risk assessment.
Typically, in the past most companies have considered either hard-tokens or soft-tokens as options for MFA. Both have advantages and disadvantages and are proven technologies for providing MFA. However, with today’s proliferation of smartphones and apps coupled with our users insatiable appetite for instant access, One-Time Passwords(OTP) on smartphones (out-of-band) MFA, may prove to be an option for companies. I access several websites that provide this type of authentication. From an end-user perspective, I find the process easy and I am much more comfortable with accessing and providing sensitive information.
The out-of-band process is a OTP process and usually works with the user inputting a user-id and password into a website, receiving an authentication code on their cell phone and then entering that code on the web page to complete the authentication process. If you exceed the time limit, you must restart the process.
The advantages of using the SMS-based-authentication are that the smartphone is something the user already has and that the pass code travels out-of-band. Users will probably be more accepting of an app running on their smartphone than having to carry a hardware token and they usually have their smartphone with them. Further, as the owner of the website, you do not need purchase and ship tokens to each new user— this one advantage, will, hopefully, increase MFA as the cost of provisioning, replacing and revoking physical tokens has been a barrier to implementation. Finally, most security professionals will agree that an OTP is a secure process for authentication. Adding a time limit on the OTP is just another layer in defense-in-depth.
One potential disadvantage of using SMS is that you are dependent on the carrier for the sending the text. Once a user enters her username/password combination, she expects a response in seconds. The carrier, however, could send the message in seconds, minutes, or hours. Not receiving the OTP in a timely fashion could cause user dissatisfaction, especially if you have implemented a time limit. Although I have not experienced this issue, it could be an issue if a carrier is experiencing high volume, slowdowns or outages.
"When you are considering MFA, you should look at all your options and choose the option that fits you risk appetite"
Other concerns could be the security around text messages being sent in the clear and the carrier storing the text message on their servers. However, if the authentication process is coded and implemented properly, all the user should see in the text message is the OTP. Without the context of authenticating into a secure website, the code in the text message is useless.
When you are considering MFA, you should look at all your options and choose the option that fits you risk appetite. During the process, I suggest you review SMS authentication. It is certainly more effective than just a username and password combination, but it is less costly and easier to implement than a hardware token solution.