James Thew - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why are fewer companies using SMS 2FA for authentication?

Instead of SMS two-factor authentication, some companies are switching to 2FA through messaging apps and social media platforms. Learn what's behind this authentication trend.

What is behind the trend of enterprises and developers moving away from SMS 2FA and toward authentication through social media platforms?

In 2019, Facebook announced its Account Kit for iOS and Android would integrate authentication with the encrypted messaging app WhatsApp. Developers of the mobile Facebook app are now able to send verification codes to WhatsApp instead of receiving Short Message Service messages when they log in with a phone number.

Account Kit is Facebook's tool for developers to enable them to log in and authenticate users without the need to send two-factor authentication (2FA) or one-time password codes. Account Kit will facilitate sending these messages when needed, but it offers the ability to authenticate via the user's Facebook account and now also through WhatsApp.

Two-factor authentication is a common method for verifying the identity of users. It authenticates users based on two conditions: something they know and something they have. If a user logs in with a username and password, an SMS message or an email with a random code will be sent for the user to input into the service prior to logging in. The username and password are known to the user, and the random code is sent to a device the user owns.

SMS 2FA is challenging for four reasons:

  1. SMS 2FA is expensive to operate at scale since messages sometimes incur payment.
  2. It is cumbersome for users who often need to type the validation code manually into an app or on a separate device.
  3. Vulnerabilities around SMS interception have cropped up in recent years, lowering its effectiveness.
  4. SMS doesn't have 100% deliverability.

Facebook, along with WhatsApp, accounts for over a billion users, and now WhatsApp offers 2FA through its service instead of via SMS.

Google is doing the same internally by enabling users to log in to the Google account for many of its services with additional verification done by pinging the user's Android device asking them to approve access -- no need for code entry.

Two-factor authentication will likely not be limited to SMS and carrier platforms only going forward. It could follow the trend of omnichannel -- in which contact centers are expected to communicate and converse with their clients over any channel, whether by phone, SMS or social networks.

Developers should ensure users can connect and authenticate with their service through other accounts -- be it WhatsApp, Facebook, Google or the carrier's SMS and phone service -- accessed on their device, rather than just through SMS.

Enterprises should consider adopting third-party verification services that can aggregate different channels for authentication and offer them in parallel with fallback mechanisms with user preferences.

This was last published in May 2019

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why would you consider using 2FA that uses messaging apps?
No. see comments. I suspect few users are willing to use a social media account for identity management - violates personal data privacy
The real issue is people do not truly understand the basics of Multi-Factor Authentication.  Using your payment card as an example.  This card supports the first factor "What You Have".  The PIN then becomes the second factor "What You Know".  Your password is also a document supporting two factor authentication.  There is a chip very similar to the one in your payment card that proves to the person you give you passport to that proves it is a genuine passport issued by a particular country. There is then a picture printed in your passport and also stored inside the agent uses as the second factor "What You Are".

Most of the computers, tablets and phone have what is called a Restricted Operating Environment built-in.  This ROE can be used to prove this is a genuine device you registered.  We can then layer a password, biometric or behavior to assure that it is you using your registered device.

Thanks for sharing information on SMS Services. I really appreciate it

The issues with SMS 2FA are not significant in the majority of use cases ( eg added phone charges etc ).
While there is a convenience issue with capturing the code from SMS 2FA to an app, it represents far less risk than using a social media account for 2FA.