-3

I've heard that SMS use for authentication in Europe isn't even close to how much it's used in the US. How do they do two step authentication when a user forgets their password? Is it as simple as just using a robocall to give them a code instead of a text?

smci
  • 203
  • 1
  • 7
Caskman
  • 17
  • 13
    We don't use SMS so much in Europe? As a european, that was news to me. :-) – Anders Jun 21 '16 at 19:49
  • 1
    Having lived in both the UK and the US, SMS is used as much as it is in the US. Not so much for services though. I'd probably put this down to company location and cost. Most two step auth that i have setup these days is done via App based OTP. Such as google authenticator or authy, even in US based companies. – Callum Jun 21 '16 at 23:19
  • Let's assume for a moment that the SMS usage was indeed less frequent in Europe. How does popularity influence the ability to use it as a 2FA? – techraf Jun 22 '16 at 01:12

3 Answers3

4

I think the premise of the question is incorrect. We do use SMS in Europe. And even if it is not as commonly used as in the US (not sure that is actually true, but lets assume so), people still have cellphones with the capability to receive SMS. So 2FA with SMS can be used and is commoly used. Based on my experience (as opposed to actual statistics), I would say it is the most common second factor when 2FA is used.

Sebastian Nielsens answer contains some good examples of other methods that can be used, so I will not repeat that here.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

In most cases here in Sweden/Europe, recovery is done by Email. In case its a sensitive service, for example banking or something similiar to that, recovery must be done by physically visiting the bank and showing ID.

Robocall is very uncommon in Sweden, mostly because its costly, and bears its own risks (reverse-charged numbers and similiar).

In some cases, recovery is done by postal mail, eg sending out a snail mail to the adress that is in the population register.

But there is a few services that do SMS verification too. The reason SMS isn't as widespread is that most people nowadays use Whatsapp, iMessage and such services instead.

techraf
  • 9,141
  • 11
  • 44
  • 62
sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • 3
    I wouldn't say that SMS verification is uncommon in Sweden (or Europe). And most of the sites I use are used all over the world, so we have the same options as everybody else. – Anders Jun 21 '16 at 19:48
  • 1
    Yeah, What I meant in my answer is sites that primarly targeting Swedens/Europeans, eg excluding international services like Google, Paypal, etc. Because I think that was what OP meant in his question. – sebastian nielsen Jun 21 '16 at 21:18
1

For what it's worth, SMS is not very secure as an out-of-band channel. What I've seen in Europe, is the use of a registered mobile device as a second factor. However, the user-entered token (Google Authenticator style) is not used.

Instead, when the time comes to log in, you open up a special mobile app, and enter a PIN into that app, and the app talks to the sign-in site saying "here's my secret token" out of band with the web session.

Thus, the device plus its registration/provisioning information plus the user PIN for the authentication/ID app serves as the second factor, which is less easy to hack into than the SS7/phone-number based SMS channel.

The actual provider/name of this technology escapes me, but I'm sure someone else will assist.

Jon Watte
  • 151
  • 2