Two Factor Authentication: SMS vs. Tokens

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The numbers are staggering. About 750 million airline passengers must remove their shoes every year because one lone nut, Richard Reid (now a resident of a supermax prison in Colorado), once tried to blow up a plane with a shoe loaded with Pentaerythritoltetranitrate (PETN). The hordes of stamping stockinged feet notwithstanding, PETN is not detectable on the scanners used by airport security gatekeepers. A chemical test is needed.

Evidently the illusion of feeling secure is enough to calm skittish nerves. Sheer numbers tell their own story; a classic case of one bad seed spoiling the batch.

It calls to mind the seeds that were stolen from RSA SecurID tokens and subsequently used to attack Lockheed Martin and other unconfirmed defense contractors. These internal seeds comprise a secret key hard-coded into the token itself, and are the logical equivalent of a combination to a vault. Now 30,000 worried RSA customers are looking to have 35 million hardware tokens replaced.

On further probing, it’s interesting to note that the financial and reputational losses suffered by RSA and its customers from using a proven two-factor authentication mechanism was all the result of one bad file and poor judgment on the part of one RSA employee. The take-away is it could’ve happened to anyone and we’ve entered the era of using social engineering to make employees unwitting participants in elaborate hacks.

RSA is calling the attack an advanced persistent threat (APT) and fingers are pointing at Operation Aurora, something that Google experienced last year and claimed it had originated from China. Wherever its origin, the APT is a sophisticated attack that is making RSA throw up its hands not in defeat, but in recognition that “a new defense doctrine” is called for.

In reaching out to IT security experts across the country, many are hollering for a switch away from using tokens in favor of using SMS-based authentication. But is SMS necessarily superior to hardware tokens?

SecurID tokens comprise complex cryptographic algorithms. To steal a few seeds is not enough to get access to all the goods. The tokens generate one-time passwords every 30 or 60 seconds. A hacker would need to do more than intercept the password. He would have to know the token’s serial number or clone one, and he’d need ready access to the token’s authentication server, which must match its code with the one generated by the token. Once these two align, access (typically by remote VPN) is possible. Once a SecurID token is compromised, it must be replaced. And to provision millions of new ones cannot be a simple feat.

Security experts weigh in

“Aspects such as deployment, manageability and superior authentication are just a few things that set SMS-based authentication apart,” said Cedric Jeannot, founder of data encryption company I Think Security in Waterloo, ON.

Bank of America uses two-factor SMS authentication whenever a customer wants to make a change to their account, such as setting up a new bill payee. It simply sends a one-time password to the account holder’s cellphone. This is also the model that Brainloop uses on its document security application, in use by the likes of BMW and Deutsche Telekom. Like tokens, the PIN is valid only once and expires after a fixed time.

“SMS is a viable alternative to token-based authentication on the grounds that SMS is much easier to manage and relatively inexpensive,” said Markus Seyfried, CTO at Boston-based Brainloop.

There is also comfort in carrying around a device that nearly everyone already owns. And when you lose it, you notice it immediately, unlike a token that may only be used randomly. More than that, once a token is reported missing, the authentication server administrator will need to be alerted, causing some delay in its being invalidated.

“Users tend to notice the loss of their cell phone very quickly and can react by remotely blocking the SIM card. Because of that, mobile devices are more flexible and a secure part of the data protection infrastructure than token technology,” said Seyfried.

On April 1, Uri Rivner, head of new technologies, consumer identity protection at RSA, wrote a blog, Anatomy of an Attack, that got to the root cause stemming from the SecurID fiasco. He described phishing emails sent to office employees with the email subject reading “2011 Recruitment Plan.” Ironically enough, the email was identified by the spam filter and thrown into the junk file but the employee retrieved it and opened the attached Excel .XLS file anyway.

“The spreadsheet contained a zero-day exploit that installs a backdoor through a [former] Adobe Flash vulnerability (CVE-2011-0609),” Rivner wrote.

Identifying this phishing attack as a typical APT, the malware installed a remote administration payload that allowed the attacker to control the endpoint.

“In our case, the weapon of choice was a Poison Ivy variant set in a reverse-connect [mode] that made it more difficult to detect,” wrote Rivner. Eventually, the attacker sought out users with higher security clearances.

“Requiring users to carry a security token now that SMS-based authentication is available is outdated and, in many cases, reduces the security offered through a properly designed text messaging process,” said Scott Goldman, CEO of TextPower, based in San Juan Capistrano, CA, which develops text messaging services for utilities and B2C organizations.

One value of SMS-based authentication is that the SMS is sent, most of the time, from a central entity; the cellphone is just the receiving end.

“For security tokens, in most cases, each device is autonomous. RSA’s SecurID does not connect to the Internet to update its numbers. There‘s a seed, a loading time, and a pre-defined algorithm that generates numbers based on that seed. This is an embedded system. If the algorithm or the seed is compromised, there is no way to update the tokens; they must be collected and new ones distributed,” said Jeannot.

Carly Ann Campo of Envoy Data Corporation, a distributor of smart cards and tokens, takes a contrarian view on the security front yet touts low TCO. “SMS-based tokens are a bit more insecure because the system generates the one-time password and sends it over the air, giving rise to the possibility of unauthorized individuals intercepting the data. A software-based or hard token generates the OTP on the device itself, isolating the data to the physical device. However, for some businesses, the marginal security difference is trumped by the low cost to operate and replace. SMS-based solutions are intuitive due to the commonplace familiarity associated with mobile devices like cellphones. We aren’t intimidated by an item we use in our everyday lives.”

Is SMS superior?

In answering the question directly on whether SMS-based authentication is superior to security tokens, Philip Lieberman, president of Lieberman Software and chief blogger at IdentityWeek, said, “It’s really a toss-up with no right answer. SMS-based authentication is technically inferior to hard tokens in that the transmission could theoretically be intercepted and used by an intruder. In practice, the SMS method is superior since the organization does not have to worry about token distribution or lost tokens and this is a less expensive and generally a more easily deployed methodology. Most of the cost and complexity of hard tokens revolves around configuration and distribution.”

One could easily argue that the safest bet resides in looking at how the application itself is used, and in comparing the practicality and ease of use of the two solutions. Not only that, but given the case of employee hacking at RSA, the security privileges granted each user should match the level of defense used to protect that user. High profile targets may require additional security mechanisms or even a “new defense doctrine.”

“Neither approach is necessarily superior or inferior,” said Andrew Young, VP of Authentication at RSA rival SafeNet. “When you consider your options for authentication methods and form factors, you need to address three key areas: risk, cost, and user experience. SMS-based authentication is one option for strong authentication and, depending on what the activity (use case) is, the level of risk associated with that activity, the cost to deploy, and the experience required by the user… it’s one of many choices.

“Rather than choosing one method over the other, it’s all about selecting the right solution for the specific information you want to protect. It could be that you want a combination of both, where in some cases you use SMS, and in others, it’s tokens. For example, you may use SMS for most employees, but use tokens for your IT administrators who have direct access to your sensitive information. The bottom line is, organizations should make sure they maintain that freedom of choice when planning their authentication approach.”

Victor Cruz is a consultant and writer living in Boston whose articles have appeared in American Venture, Cloud Computing Journal,, CSO Magazine, Communications News, Computer Technology Review, Harvard Review, Medical Design Technology, and WebSecurity Journal. He has advised some 50 IT companies in the past 20 years on their marketing strategies. You can reach him at



Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis