SMS OTP
Have you ever switched phone providers? Maybe you walked into a store found that shinny new phone you’ve always wanted (or just learned that you always wanted). The store employees are super happy with your choice to go with them. They get your information, you give them your phone number and the next thing you know, you have a new phone and a new provider. Easy right?
Now imagine, someone else, who is not you, decides they want to go buy a new phone. Only these people want to hack some of your accounts. They can pretend they are you. They tell the store your phone number. The store activates your phone number on their new device! They can now receive text messages intended for you. This little trick is called SIM Swapping. There are many other ways for hackers to get your SMS messages. Some of these include setting up a forwarding number, or social engineering by convincing someone at the phone company they are you.
All this to say SMS and phones are notoriously unsecured channels. For something so easy to hack, it is surprising how often we use these channels to provide a layer of protection for our data, and online accounts. Microsoft has even suggested the 2FA via SMS is a bad idea.
This is why SpartanAuth will not be implementing SMS 2FA. But it will provide many other options for 2FA. We hope this will encourage people to use more secure channels for authentication.
If you have any feature requests or suggestions on what factors would be the most helpful to have implemented in SpartanAuth, we’d like to hear from you. Please reach out to us at [email protected]