Why authenticate by SMS?
Because SMS is one of the standard methods of authentication, documented in RFC 8176.
Brings a little extra security?
Yes, this involves another authentication factor in your application (I recommend reading on MFA - Multiple Factor Authentication).
Currently it is of utmost importance to involve more than one authentication factor to perform operations depending on the business. But why the importance of that?
Think about the following situation: You have an application that works with money (financial transactions, subscriptions, etc...), the form of authentication is a simple password. If by chance some user’s password is compromised, it is of utmost importance to perform damage control. And how do we do this?
There is a big difference between letting all operations of the platform free, or requesting a confirmation token through another channel to check if the user actually authorizes the operation (a withdrawal operation for example). If the attacker does not have access to the channel in which the token was sent, the operation cannot be realized.
SMS is one of the methods, in RFC that I mentioned there are several others (OTP, user connection, physical token, etc...). Using SMS for example, the attacker should also have access to the victim’s number (by cloning or intercepting the communication in some way) to enter the correct token and complete the transfer operation for example.
Why not just check the number present on the cell phone?
I believe is not a very effective way, and you could emulate the behavior of the phone using any number (example, I do not know how it does this but it should be possible, after all everything is possible :) ).
The key point is to always involve one more confirmation/authentication factor, whether the validation will be automatic or not is a team decision regarding pros, cons and complexity.
You intend to use only 1 of these two methods for authentication?
– Murillo Comino
That, but, if it would be effective. Because if you use the sms, you would have an additional expense, the question is the cost benefit. Just read the number, does it have a fault? because most apps send the code?
– LocalHost
If you have physical access to a decent server, you can install a GSM modem on it and send the SMS directly through a chip of yours. The fact is that when you send an SMS, only the real owner of the number will receive the code, in principle, not depending on the data of the device.
– Bacco