On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

code to this number. Finally, either the user is asked to insert the received authentication code, or the app automatically reads it from the incoming SMS, at which point the app can send the code back to the app’s backend. This procedure proves ownership of a specific phone number (and of the corresponding SIM card). We note how this protocol effectively uses the SMS channel as the only “factor” to authenticate to a user’s account.