Is cell phone number based verification secure?

If it is not secure, are there any better alternatives?

It's secure for certain threat models, and the best tradeoff for accessibility vs attack surface. To intercept an SMS, you have to have some control over the routing of the messages or the device receiving it.

Without privileged information / insight provided at the carrier level, SMS is the best authentication method available despite its flaws including convincing users to send a 3rd party the code when they receive it.

If you need a stronger confirmation of some kind of connection between identity and a user online, you probably require something that's not a phone to be involved. Mailing a hardware token that is paired with a code displayed to the user is more secure, but it's also more costly and slower. Fido2 stands to prevent replay, but doesn't permit a sense of scarcity that phone numbers do as most people won't pay the money to be able to register lots of phone numbers unless you're getting into attestation signatures and that opens a whole new can of worms...

Each of these "stronger" solutions address different problems and raise additional cost and complexity burdens put upon either the company, the end user, or both. SMS remains the most attainable target for the general public.


Originally this question wasn't about SMS verification (e.g. for password recovery or MFA), but validation of the phone number. This answers to that question.

The purpose of the verification is not to validate ownership of the number, but only access to it. Verifying the ownership of a subscription would be a legal thing and require legal documents. Parents typically own the subscriptions for their children, workplaces for the employees etc. Furthermore, there's no need to verify the ownership, as the use cases are related to the access.

You are requesting for a better verification than SMS, but SMS is the easiest verification available, as there's not that many methods that are both bound to the number and accessible by its user. Well, the system could call the user and a robot could tell the secret, but that doesn't add anything, because phone calls could be listened, too. It would also be a nightmare to hearing impaired.

On the other hand, there's no really need for stronger authentication, as the purpose is to prevent mistyping the number, possibly rendering e.g. MFA unavailable for the user. From the sites perspective the verification might also be for avoiding unnecessary messages to third parties, if you accept SMS notifications or even advertisement.

Tags:

Mobile

Registration

Related

Randomly selected words converted into sentence. Did I lose passphrase strength or gain it? Why does my digital bank need my phone date and hour to be correct? If hashing should occur server-side, how do you protect the plaintext in transit? Defending against DoS via product reservation Do I still need CSRF protection when SameSite is set to Lax? How can we eliminate passwords given the problems with biometric authentication? What information does ssh -vvv expose? Does legitimate tech support use remote control software? What is the suggested best practice for changing a user's email address? Are there security reasons for prohibiting universal mac address modification? How does releasing exfiltrated data increase the chances of an attacker getting caught? Is starting an AWS instance with only ssh to port 22 significantly insecure?

Recent Posts