Out-of-Band Authentication - Two-Factor Authentication - SMS

SAASPASS two-factor authentication provides stronger security than basic out-of-band authentication.

SMS-based one-time passwords (OTPs) are the most common form of out-of-band authentication. Text messaging based authentication is relatively easy to compromise. The entire transport layer for SMS is insecure and the text messaging protocol does not support encrypted communications. Although SMS-based OTPs are insecure, use persists because of their ability to work on old legacy phones. Out-of-band authentication and SMS OTPs are easily susceptible to Man-in-the-Middle and Man-in-the-Mobile type of attacks.

There are seven major flaws with SMS OTPs:

  • Does not prevent sophisticated attacks like man-in-the-mobile (MitMo)
  • There is no PIN control to generate it
  • The entire transport layer is insecure
  • Network latency - SMS delivery can sometimes be delayed by hours!
  • Requires mobile coverage - Does not work when there is no network coverage
  • Fraudulent phone reassignment also known as Phone porting scam
  • Large operating expenditure (OPEX) for mass deployments

Instituting SAASPASS two-step verification mitigates against many of these attacks. SAASPASS also works on legacy feature phones like Java ME and Blackberry devices. Replace outdated problematic out-of-band authentication with SAASPASS.

SMS OTP is only a stopgap solution. Adopt SAASPASS.

Out of band authentication SMS OTP