Regular username and password based authentication relies on a single set of access credentials (username and password) which is something user "knows", i. e. he/she has a knowledge of the username and password. If the information is somehow compromised (stolen, intercepted, guessed etc), then the unauthorized access to the service can be gained relatively easy.
Multi factor authentication uses more than one factor to verify the identity of the user:
- Something user "knows" (like username, password or PIN, see above)
- Something user "has" ( a physical device, like code card, token generators, or a phone number)
- Something user "is" ( biometric factors, like fingerprints, eye retina patterns, or voice)
Two factor authentication uses two of the above factors, usually what the user "knows" and "has". It greatly reduces risks of unauthorized access, because compromising one the factor, does not compromise the access altogether.
The method of using users phone number is relatively easy to implement and secure way to achive two factor authentication. While it has its own security issues, it is still considered far more secure than the traditional one factor (username and password based) authentication. This method assumes that users phone number is the factor that user "has", i.e. this is something what traditionally has been considered as more or less stable and permanent property. Once you have got the access to your phone line number, it is supposed to stay with you for reasonable long time, and even if you decide to abandon it, it will not become in the possession of another user in the short time frame. Companies usually place those numbers on hold for some time before making them available to next user.
It is also considered safe to assume that the call delivered to the specific number will always reach to the number, same is true for short messages. Therefore information delivered via Voice call or SMS can be considered as good second factor of the two factor authentication mechanism.
{$image1}
In practical scenario, the application developers choose whether to use text messaging, voice calling or both methods for delivering two factor authentication codes.
Advantages of using SMS:
- Seamless integration with end users app - the code can be delivered directly to the app without users intervention;
- Faster delivery times in compared to establishing voice calls;
- Lower costs in most of the markets;
Advantages of the Voice call:
- In many markets is more reliable or sometimes the only method available;
- In many markets cheaper than text messaging.
Developers should therefore decide which methods in which case they should use, should one method be backed up by another, and what are the execution schedule.
Check out also my post about use case of one time passwords with script based telehony engine.
