I recently forgot the password to access the personal area of my current bank’s online banking app. I show you the process of resetting the password, carried out from the browser of my smartphone:
- Enter your ID number
- Enter the number of one of my debit cards and its pin code.
- Request an SMS to be sent to receive a verification/confirmation code.
- Receive the verification code via SMS to be able to access the app and create a new definitive access code.
The problem with sending verification codes via SMS
As can be seen in the diagram above (image 1), which shows the flow of the process, step 4, where the verification code is received, happens with the screen locked, i.e. the confirmation code can be seen by anyone who has the mobile device nearby, without needing to know how to unlock it.
This fact translates into a security breach, since any impostor who has possession of our device, or who has possession of our SIM, can access the verification code, and take control of our bank account. From this point on, we can only “pray” that the bank has implemented an anti-fraud engine based on behavioural analytics, and that it is able to identify that the person using the banking app is an impostor, and not the legitimate user.
It is true that to get to this point, a fraudster will have had to do some work beforehand, such as collecting our ID, and knowing our debit card number and pin code. However, the theft of these credentials is the order of the day, and this type of fraud is known as pishing, vishing or smishing.
Why do we still use SMS?
According to this Twitter report on the security of its user accounts, 80% of users who use two-factor authentication (2FA) to access their account do so by sending an SMS. Twitter allows the use of other methods to implement 2FA, such as the use of an external app that you have to install and from which this verification code is generated each time, or the use of a security key, a hardware device that is connected to the USB port of a PC, which replaces the verification code because it is assumed that only the legitimate user is the one who possesses it.
Given the simplicity of SMS compared to these other alternatives, it may seem reasonable to think that most Twitter users might prefer SMS as a method of receiving the verification code, because among other things it does not involve having to install an external app, nor does it require the purchase of an additional hardware device. Moreover, all users know how SMS works, we don’t need to learn how to use it as might be the case with external authenticators and/or security keys.
Could we increase security when sending SMS?
As we have shown, SMS is a widely accepted method among users when it comes to receiving confirmation codes, its usability and user experience (as much as we may regret it), make it the preferred option. However, we know that this method is exposed to phishing attacks, so finding a solution and securing SMS can be of great value to users.
From Telefónica Tech’s Identity Innovation Lab at the Marina de Valencia, together with our colleagues who are experts in identity verification solutions from Mobbeel, we have developed a solution based on the FIDO2 Identity standard that allows user transactions to be confirmed by sending SMS in a secure way, by introducing biometrics in the middle of the process.
As can be seen in the step 4 of the diagram shown above (image 3), we replace the reception of a verification code sent via SMS with the sending of an SMS requesting our authentication through the biometrics that the user already uses on their own mobile device; TouchID, FaceID or pattern or unlock code. Once the user has verified their identity through the biometrics in the SMS received, they can continue with the reset of their password to access the app.
Secure SMS verification via biometrics
Telefónica and Mobbeel have pioneered the implementation of the FIDO2 standard to solve a real problem that affects most users of digital services and products. Sending secure SMS using biometrics helps to prevent online fraud through identity theft. In this way, the use of SMS to verify user transactions does not run the risk of someone with bad intentions being able to “get in the middle” and gain access to our accounts.