Okay LogoOkay Logo
Go back to Okay blog

2FA - The Risks of Sending OTP via SMS

First published: 23/03/2020

updated: 21/03/2022


Most organisations today use two-factor authentication (2FA) for their users and customers. They do this to provide them with a more secure mode of accessing their accounts. 2FA has indeed helped most users keep their accounts more secure than they were before its inception. However, with the introduction of 2FA as a more secure way of authenticating users, also came other issues that made it vulnerable to certain hacks.

Where is the Vulnerability?

The main issue lies with the basic implementation of the authentication system. Most systems use SMS messages to deliver tokens to users devices, building on the assumption that a user’s phone number is unique and is only associated with that particular user.

However, recent cases over the past 3 years have shown that delivering tokens via SMS is less secure than we might think. A hacker who is committed to breaking into your account or system would easily be willing to swap devices to start receiving all SMS’ on their device. They might also try to intercept an SMS message going over the wire, as SMS messages are susceptible to interception. But swapping devices must be pretty difficult to do, right?

Unfortunately not. Some of the biggest telecommunication companies use personal information, such as billing addresses and pins, to initiate device swapping. This is information that is vulnerable to social engineering hacks, and thus, the telecom companies might miss that the caller who is initiating this request is malicious.

Push Notification Authentication

With the current vulnerability of SMS, there has to be a better way to implement 2FA systems with minimal risk of interception and other social engineering hacks. The solution? Push Notification Authentication, which provides a better mode of authenticating a user on the Internet.

When implemented properly, it’s a better way of ensuring that the right user has control over their accounts. This is made possible by “Device Tokens”, each assigned to a unique device, making sure that only the targeted device receives the notification.

Keep in mind that push notification systems are built by some of the largest tech organisations out there, such as Google and Apple, which provides great security infrastructure.

Okay Secures Push Notification Systems

The responsibility of keeping push notification systems out of the reach of malicious hackers now rests on the implementation and design of an application and its server. The reason is that no matter how secure a push notification provider is, if the provided credentials are not kept secure, push notifications can be sent by any malicious hacker who acquires them.

Okay is well aware that push notifications systems can be broken into, and its security is well dependent on the application implementing it. That is why we provide an extra layer of security over the device and the application to ensure that transactions are not tampered with.

We do this through a sandbox, where multiple integrity checks are performed to make sure everything remains intact, and that transactions are invalidated if a malicious intent is detected.

Would you like to know more about Strong Customer Authentication with Okay? Take a look at our use cases or reach out to book a demo.