Jeff Bruchado
Back to blog

SMS Authentication Links Expose Sensitive Data: What Developers Need to Know

Hello HaWkers, recent research has raised an important alert for developers and security professionals: authentication links sent via SMS can expose sensitive user data. This method, widely used by companies of all sizes, has vulnerabilities that many are unaware of.

Have you ever implemented SMS authentication in a project? Let's explore the risks revealed by the research and understand how to create more secure authentication systems.

The Discovered Problem

Security researchers identified that authentication links sent via SMS can leak sensitive user information through multiple attack vectors.

How the Vulnerability Works

Typical SMS authentication flow:

  1. User requests login or password recovery
  2. System generates unique authentication link
  3. Link is sent via SMS to user's phone
  4. User clicks link to complete authentication

Where the leak occurs:

  • Links are exposed in third-party apps with SMS access
  • Link previews can leak information to external servers
  • Phone carriers can store message content
  • Malware on devices can intercept messages

Exposed Data

The research identified that the following data can be leaked:

Data Type Risk
Authentication token Unauthorized account access
User ID Target identification
Email/phone Targeted phishing
Active session Session hijacking
Timestamp Defined attack window

💡 Alert: Many companies still use predictable or long-lived tokens in SMS links, expanding the vulnerability window.

Why SMS Is Insecure

SMS was never designed to be a secure communication channel. Understanding its limitations is fundamental.

Inherent SMS Problems

1. Lack of end-to-end encryption:

  • Messages travel in plain text on the network
  • Carriers can read the content
  • Interception is technically possible

2. SIM Swap Attacks:

  • Attackers transfer number to new SIM
  • Receive all target's messages
  • 400% increase in attacks since 2020

3. SS7 Vulnerabilities:

  • Telephony protocol with known flaws
  • Allows remote SMS interception
  • Used by hackers and even governments

4. App Permissions:

  • Many apps request SMS access
  • Data shared with third parties
  • Users grant without reading permissions

Real Exploit Cases

Examples of successful attacks using SMS:

  • Twitter (2020): Celebrity accounts compromised via SIM swap
  • Reddit (2018): Employees hacked through SMS interception
  • Binance (2019): SIM swap attempts against users

Impact For Developers

This discovery has direct implications for those developing authentication systems.

Expanded Responsibilities

Developers need to consider:

  • Security of delivery channel, not just the token
  • Behavior of apps accessing SMS on device
  • Token lifetime and predictability
  • Safer alternatives when available

Compliance and Regulation

Using SMS for authentication can create compliance issues:

Regulation Implication
GDPR Personal data in transit unencrypted
PCI DSS SMS not recommended for payment data
HIPAA Inadequate for health information
SOC 2 May compromise certification

When SMS Is Still Acceptable

Despite the risks, SMS may be acceptable in some scenarios:

Acceptable:

  • Second factor combined with strong password
  • Non-critical notifications
  • Initial phone number verification
  • Low-risk apps

Avoid:

  • Single authentication factor
  • High-value financial transactions
  • Health or highly sensitive data
  • Accounts with elevated privileges

Secure Alternatives to SMS

There are more secure options that developers should consider.

1. Authenticator Apps

Apps like Google Authenticator, Authy, or Microsoft Authenticator offer:

  • TOTP (Time-based One-Time Passwords)
  • Locally generated codes
  • No network transmission
  • Resistant to interception
// Example TOTP implementation in Node.js
const speakeasy = require('speakeasy');

// Generate secret for user
const secret = speakeasy.generateSecret({
  name: 'MyApp',
  length: 32
});

// Verify user token
const verified = speakeasy.totp.verify({
  secret: secret.base32,
  encoding: 'base32',
  token: userToken,
  window: 1 // Allows 1 interval tolerance
});

console.log('Token valid:', verified);

2. WebAuthn/Passkeys

Modern passwordless authentication standard:

  • Uses public key cryptography
  • Phishing resistant
  • Supported by major browsers
  • Can use device biometrics
// WebAuthn registration example
const publicKeyCredentialCreationOptions = {
  challenge: new Uint8Array(32),
  rp: {
    name: "My Application",
    id: "mysite.com"
  },
  user: {
    id: new Uint8Array(16),
    name: "user@email.com",
    displayName: "User"
  },
  pubKeyCredParams: [
    { alg: -7, type: "public-key" },  // ES256
    { alg: -257, type: "public-key" } // RS256
  ],
  authenticatorSelection: {
    authenticatorAttachment: "platform",
    userVerification: "required"
  },
  timeout: 60000
};

const credential = await navigator.credentials.create({
  publicKey: publicKeyCredentialCreationOptions
});

3. Secure Push Notifications

Push notifications with approval are more secure than SMS:

  • Encrypted channel
  • Device authentication
  • Biometric verification possible
  • Detailed audit logs

4. Hardware Tokens

For maximum security:

  • YubiKey and similar
  • Resistant to all remote attacks
  • FIDO2/WebAuthn standard
  • Ideal for critical accounts

Method Comparison

Method Security Usability Cost
SMS Low High Low
TOTP App Medium-High Medium Free
Push High High Medium
WebAuthn Very High High Low
Hardware Maximum Low High

Implementing Secure Authentication

Practical guide for developers who need to update their systems.

Recommended Migrations

Step 1: Assessment

  1. Identify all flows using SMS
  2. Classify by risk level
  3. Prioritize critical migrations

Step 2: Progressive implementation

  1. Offer alternatives before removing SMS
  2. Educate users about safer options
  3. Monitor adoption of new methods

Step 3: Transition

  1. Make SMS fallback, not default
  2. Incentivize migration with better UX
  3. Eventually deprecate for sensitive accounts

Best Practices For Tokens

If you still need to use SMS temporarily:

// Secure token generation
const crypto = require('crypto');

function generateSecureToken() {
  // Cryptographically secure random token
  const token = crypto.randomBytes(32).toString('hex');

  // Token hash for storage
  const hashedToken = crypto
    .createHash('sha256')
    .update(token)
    .digest('hex');

  return {
    plainToken: token,      // Send to user
    hashedToken: hashedToken // Store in database
  };
}

// Security settings
const tokenConfig = {
  expirationMinutes: 5,     // Short expiration
  maxAttempts: 3,           // Attempt limit
  ipBinding: true,          // Bind to IP
  deviceBinding: true       // Bind to device
};

Anomaly Detection

Implement monitoring to detect attacks:

// SIM swap detection example
async function detectSIMSwap(userId, phoneNumber) {
  const recentChanges = await checkCarrierAPI(phoneNumber);

  if (recentChanges.simChangedRecently) {
    // Block SMS and require alternative verification
    await flagAccount(userId, 'POTENTIAL_SIM_SWAP');
    return false;
  }

  return true;
}

// Suspicious pattern monitoring
async function monitorAuthAttempts(userId) {
  const attempts = await getRecentAttempts(userId);

  const suspicious = {
    multipleDevices: attempts.uniqueDevices > 3,
    differentLocations: attempts.uniqueLocations > 2,
    rapidAttempts: attempts.last5Minutes > 5,
    unusualTime: isUnusualTimeForUser(userId, new Date())
  };

  if (Object.values(suspicious).some(v => v)) {
    await requireAdditionalVerification(userId);
  }
}

Communicating Changes to Users

Transitioning from SMS to more secure methods requires clear communication.

Communication Strategies

What to explain:

  • Why the change is necessary
  • How the new method works
  • Security benefits
  • Available support

What to avoid:

  • Excessive technical language
  • Blaming users for using SMS
  • Abrupt changes without warning
  • Removing options without alternatives

Example Message

## Your Account Security Update

We are updating our verification methods to better
protect your account.

**What's changing:**
You can now use an authenticator app instead of SMS.
It's faster and much more secure.

**Why this matters:**
SMS can be intercepted by hackers. Authenticator apps
generate codes that only work on your device.

**How to set up:**
1. Download Google Authenticator or Authy
2. Go to Settings > Security
3. Select "Add authenticator app"
4. Scan the QR code

Need help? Contact us.

The Future of Authentication

The trend is clear: passwordless and hardware-based methods.

Trends For 2027+

1. Passkeys as standard:

  • Apple, Google, and Microsoft aligned
  • Gradual elimination of passwords
  • Secure synchronization between devices

2. Advanced biometrics:

  • Behavioral recognition
  • Multiple biometric factors
  • Liveness detection

3. Continuous authentication:

  • Passive verification during use
  • Real-time adaptive risk
  • No friction for legitimate users

Conclusion

The discovery that SMS authentication links expose sensitive data is an important reminder: security must be considered throughout the entire flow, not just in token generation. Developers have the responsibility to implement safer alternatives.

Key points:

  1. SMS was not designed for security and has known vulnerabilities
  2. Authentication links can expose tokens, IDs, and other sensitive data
  3. Alternatives like TOTP, WebAuthn, and push notifications are safer
  4. Migration should be gradual with clear communication to users
  5. The future points to passwordless authentication based on passkeys

For developers, the message is clear: it's time to rethink using SMS as an authentication method, especially for applications dealing with sensitive data.

For more on development security, read: GitLab Vulnerability Allows Bypassing Two-Factor Authentication.

Let's go! 🦅

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments