SMS OTP Security (SOS): Hardening SMS-Based Two Factor Authentication

SMS-based two-factor authentication (2FA) is the most widely deployed 2FA mechanism, despite the fact that SMS messages are known to be vulnerable to rerouting attacks, and despite the availability of alternatives that may be more secure. This is for two reasons. First, it is very effective in practice, as evidenced by reports from Google and Microsoft. Second, users prefer SMS over alternatives, because text messaging is already part of their daily communication. Accepting this practical reality, we developed a new SMS-based protocol that makes rerouting attacks useless to adversaries who aim to take over user accounts. Our protocol delivers one-time passwords (OTP) via text message in a manner that adds minimal overhead (to both the user and the server) over existing SMS-based methods, and is implemented with only small changes to the stock text-message applications that already ship on mobile phones. The security of our protocol rests upon a provably secure authenticated key exchange protocol that, crucially, does not place significant new burdens upon the user. Indeed, we carry out a user study that demonstrates no statistically significant difference between traditional SMS and our protocol, in terms of usability.