Multi-factor authentication – hard token, apps or SMS?

Topic: Technical, Uses of SMS

The 2018 mid-year Data Breach Quickview Report revealed that Australia had 24 data breaches and over 2.6 billion records exposed in the first half of 2018, ranking 5th globally by the number of data breaches and exposed records.  It’s estimated that cybersecurity incidents could cost $29 billion a year in Australia. For organisation with more than 500 employees, a single breach could cost as much as $35.9 million (source). Online security and safety is now a top priority for many businesses and organisations. The Australian Tax Office (ATO), for instance, has introduced in their Operational Framework for Digital Service Providers, a mandatory requirement for all cloud-based accounting systems to implement Multi-factor Authentication (MFA).  

What is MFA?

To understand MFA, we should first understand the common factors for authentication:

  1. Something you ‘know’ – a username, password, pin or an answer to a question
  2. Something you ‘have’ – a security token, smart card or software-based certificate
  3. Something you ‘are’ – a fingerprint, voice or iris pattern

MFA uses two or more of the above to verify a person’s identity. The most common second authentication method is via delivery of a one-time password (OTP) that is sent to a token, app or mobile phone via SMS.

Hard Token vs App-based Token vs SMS

Hard tokens are physical devices that are used to generate one-time passwords. They have been around for decades and is probably one of the oldest ways to send one-time passwords. Hard tokens have a few drawbacks. Firstly it requires both money and resources to purchase, assign and dispatch tokens to every single user who needs access to the system. There’s also the risk that the user can forget or lose their token, in which case users will not be able to access the system to perform the job duty they are required to do. In the case of lost tokens, extra resources will be needed to arrange for replacements and could cause further delays in system access. Cybersecurity is another concern for hard tokens. With cases like the RSA’s servers being hacked leading to 40 million employees’ access to sensitive data being leaked in 2011 or the man-in-the-middle attacks, the security issue with hard tokens is a concern.App-based tokens for one-time passwords have grown significantly as smartphones get more popular. While they don’t incur the cost of purchasing and deploying physical tokens, the cost associated with running and maintaining an app that works with all mobile phone models and operating systems can be prohibitive. Companies might also find it challenging to prompt system users, particularly contractors and vendors who only need access to the system occasionally, to download another app. And for people who do not use a smartphone, this authentication method becomes invalid and companies will need to source other methods.Using SMS for one-time passwords is inexpensive compared to both hard and app-based tokens. As SMS is universal to all mobile phones, there is no need to worry about different models or operating systems. The only cost incurred would be the message cost. There’s no need to purchase, ship, maintain and replace any hard tokens, nor provide the technical support that an app-based token needs.The set up procedure is also minimal. Companies only need to get a current mobile number from all users and advise that this method is now being used for authentication, and can then roll out SMS for one-time passwords almost immediately.In terms of users’ experience, SMS is certainly the most convenient method among the three. Users are not required to carry an additional device nor download and install any apps on their mobile phone. People generally carry their mobile phones with them all the time, thus enabling them to receive the one-time password and grant them access instantly.

Choosing an SMS provider

If you are considering SMS for MFA, there’re a few factors to consider when choosing the SMS provider. Firstly, what are the procedures regarding information security? Considering the sensitivity of the messages, data security is going to be at the top of your supplier selection criteria. Does the provider have robust procedures in place, or even better, any globally recognised standard to safeguard the security of your data? Another consideration is the reliability and timeliness of the delivery of your messages. As you want the users to receive the one-time password instantly when they request it, you should avoid choosing providers who use grey routing. Lastly, the flexibility and sturdiness of the SMS gateway should also be examined to ensure a smooth integration process and a substantial connection.       

How can Esendex help

Esendex, being the only ISO 27001 accredited SMS provider in Australia, provides a guarantee to customers that all of the processes and services conducted are aligned with the globally recognised information security standard. Our direct connections to major networks ensure your messages get delivered swiftly, securely and reliably. Together with all the SDKs, sample code and documentation provided for easy integration with our SMS gateway, we’ll be able to help set you up with SMS for multi-factor authentication in no time. Get in touch at 1300 764 946 and speak to one of our team today!   

Author Avatar
Prachi Bametha

Marketing Coordinator, Esendex Australia