While SMS authentication is a huge leap forward from a sole reliance on usernames and passwords, SMS OTPs are not ironclad. Luckily, with constant innovations in the IAM space, there are several good choices for alternate 2FA and MFA approaches.
1. FIDO2
FIDO2 is more than an alternative to SMS authentication. The acronym “FIDO2” refers to new security standards and technologies in the identity industry as developed by the FIDO Alliance. More specifically, the letters stand for “Fast Identity Online” while the number 2 refers to this particular iteration of FIDO alliance standards.
According to their website, “The FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords.” As innovations in the identity industry emerge, so do new standards and technologies from the FIDO alliance, such as FIDO2.
FIDO2 Cryptographic Keys: FIDO2 uses “public key cryptography for authentication that is more secure than passwords and SMS OTPs.” These cryptographic keys can be something you possess like a key fob, or authenticated with biometrics like fingerprints on a mobile phone. Regardless of the form that the cryptographic key takes, FIDO2 is predicated on credentials only being stored on a user's device.
2. Mobile Authenticator Apps
On the surface, mobile authenticator apps work in a fashion similar to SMS messaging, but there are some important differences when you look a bit deeper. While both mobile authenticator apps and SMS messaging fall within the “something you have” classification of MFA, SMS has more vulnerabilities.
The most important aspect of mobile authenticator apps is the fact they operate independently of the internet and cellular service. As such, the OTPs generated by authenticator apps are immune from threats like SIM swapping and man-in-the-middle attacks. Authenticator apps are considered extremely secure and are utilized by important organizations like Ping Identity, Microsoft, and Google.
3. Email Authentication
Email authentication is another form of MFA that is used to supplement usernames and passwords. With email authentication, OTPs or magic links are sent directly to a user’s inbox to verify their identity. Email authentication is a popular MFA method that is commonly used to add friction with suspicious activity, like logging in from a new IP address.
Since users must have login credentials to access their email accounts in the first place, email authentication adds an extra layer of security. In turn, email authentication falls in the “something you know” category of MFA. Yet, since email accounts aren’t tied to a specific device like a cryptographic key or authenticator app, they may be compromised by phishing attacks or data breaches.
4. Voice Call Authentication
Voice call authentication is another popular alternative to SMS messaging. With voice call authentication, an OTP is delivered straight to a user’s phone by way of voice messaging. Voice call authentication is another example of a “something you have” MFA method. Whether it be a mobile phone or landline, users prove their identity by having access to the phone number associated with their account.
A major plus for voice call verification is the fact that the OTP is not openly displayed on a screen, so it can’t be compromised by prying eyes. In the event a user misses the original voice call, the OTP will expire and a new one will be generated.
To learn more about different forms of authentication, read our Ultimate Guide to Authentication.