Authentication Methods

Short Message Service (SMS)

Less-secure strong authentication using mobile devices with SMS text capability.


SMS Challenge/Response

Non-compliant authentication method that is being superseded by push and passwordless

Mobile devices with SMS text capability can be used for authentication via One Time Password (OTP) and Challenge/Response (CR or Y/N). This is a less-secure form of strong authentication because it is vulnerable to man-in-the-middle attacks.

  • SMS OTP sends an OTP to the user’s phone via SMS. The user enters the OTP into their login authentication and is approved.
  • SMS Challenge-Response sends a question asking if the authorization attempt is approved to the user’s phone via SMS. If the user texts back “Yes”, authentication is completed and the user is logged in. If the user texts back “No”, authentication is failed and the user is not logged in.

For organizations requiring compliance with any NIST-based regulatory regime, SMS OTP is no longer a compliant authentication method due to its vulnerability to man-in-the-middle (MITM) attacks.



  • Low cost to implement
  • Easy to self-provision or automatically provision
  • Easy to recover user accounts and reprovision
  • Leverages BYOD (mobile phones)
  • Open standards-based (OATH)
  • High cost as authentication volumes increase
  • Can’t work offline – requires a cellular connection
  • Can’t work if user forgets their mobile phone
  • Not compliant – SMS is vulnerable to man-in-the-middle attacks
  • Not viable for Secure Areas or other use cases where mobile phones are prohibited

Ready to experience the SurePassID difference?

Contact us and bring our MFA expertise to bear on your unique requirements. Or begin our free trial and see how easy it is to secure your universe with SurePassID Universal MFA.

Contact Us
Start Your Free Trial