Is SMS a Sensible Choice for Password Reset?

As part of an upgrade to a major utility company's single sign-on (SSO) solution, the company requested we add support to allow users to reset their password via SMS.

At first glance, this might sound like a reasonable request, a convenient, secure mechanism. However, it's far from it. Just last week, a friend lent his mobile phone to someone to make a quick call. However, a few hours later, they discovered they had removed the SIM and their mobile banking app. Now in possession of the SIM, they managed to request a password reset of their Internet banking password, apply for an overdraft and help themselves to the additional funds. This type of attack is not an isolated case; PayPal has had similar issues with attackers convincing mobile network providers to provide a replacement SIM and then take over the user's PayPal account.

The creators of SMS never intended it to be a security transport and have never felt the need to secure it fully. As a second factor, it has had success in reducing account compromises. The critical difference here is that the attacker needs the user's password and the SIM, not just the SIM.

So the answer is no, don't use SMS for password reset. Email is a far better choice as it requires the attacker to obtain at least a password (only you should know) and, ideally, a second factor to access your inbox.

Why Not Just Remove Passwords All Together

With the onset of FIDO PassKeys, we should also welcome the day that SMS is no longer the most popular second factor, removing our reliance on a short message service to secure our most valued accounts.

This is exactly what Google is doing; when a user requests a password reset, they are encouraging them to set up PassKeys so they never need to perform a password reset again. With the likes of Google and Microsoft putting their weight behind this technology, it will soon become the defacto method for authentication. Users will consider sites that use passwords old school, insecure and a pain to use.

If you are using Windows, macOS, iOS or Android, then you can make use of PassKeys. Why not try it for yourself at fido.identityserver.com. Register for an account with your current device; you don't need to set a password; your device creates and stores unique credentials (passkey). Once registered, login and notice no password is required. If you have another device that uses the same cloud storage as the registered device (iCloud, Google Cloud), then that device can also log in without any entered credentials; the PassKey is synchronized across your trusted devices. This is MFA without the stress, as it requires something you have (device), something you know (password/pin), or you are ( biometrics to unlock your device).

A more in-depth discussion on 2FA and FIDO2 can be found here.

If you would like to add frictionless MFA authentication to your application, why not give our .NET Core FIDO2 component a go?