Since the inception of this company we’ve preached heavily the use of some sort of two-factor authentication. Whether it’s certificate or passcode based wasn’t really that relevant to me, it just should NOT be a static password. Fast forward a few years and we’re seeing this proliferation of SMS based two-factor systems. Essentially you send your passcode or some other identifying piece of information and it sends you back a happy little passcode. There’s a couple things about SMS you should know, (1) it’s a “store and forward” system meaning it does very little origination checking or anything else from a security standpoint and (2) it’s completely unencrypted. This means that the very nature of it is insecure. This isn’t because SMS is bad, it’s just bad for authentication. It’s not meant to be a security system! There are also performance and reliability concerns. However, I’ve never really experienced an SMS outage myself, so I think that might be overblown (I’m a huge SMS user).

Essentially the moral of this story is, don’t use SMS for something it was really not designed for and use a true two-factor authentication system (plug: WiKID Systems). I don’t like some of the other vendors because of their insistence on hardware tokens, WiKID makes it a bit easier and is also Open Source (yay) but check that out for yourself.