Why relying on SMS-based two-factor authentication is a mistake
Dual or two-factor authentication (2FA) is a user verification method that utilizes two pieces of evidence (factors) to determine a user’s identity and grant access permissions. The first factor is usually the user’s login credentials. The second factor comes from a different category — something the user has, knows or is.
In dual-factor authentication, the user begins by entering their usual account credentials (username and password). After those are verified, the user must provide a secondary verification token: a one-time password (OTP), answers to security questions, or biometric scans.
Why use two-factor authentication?
Most user accounts are secured behind a username-password login interface — the most basic identity and access management (IAM) policy. Although this system may seem secure, it is fundamentally flawed. Passwords alone are not enough to protect accounts and their users.
Many employees exercise poor password practices, such as creating weak passwords, reusing passwords across multiple accounts, and sharing credentials with colleagues. Such habits make it easier for hackers to compromise user accounts. A Psychology of Passwords report illustrates this problem in more detail.
Second, user credentials have become prime targets for attackers and are easily accessible gateways to data breaches. According to the DBIR 2021, credentials are the most sought-after data sets, accounting for more than 80 percent of all the data exposed in social engineering and web application attacks.
2FA adds a crucial security layer on top of the traditional password-based IAM. Even if attackers somehow get hold of user credentials, they still won’t be able to access the accounts.
The problem with SMS-based 2FA
For a long time, voice calls and text messages have remained the most popular means to deliver secondary authentication factors in MFA systems. Many 2FA tools prefer SMS verification because it is user-friendly and relatively easy to implement.
However, SMS verification is not as secure as it’s made out to be. In 2016, NIST recommended a ban on SMS and voice authentication tools over serious security concerns. And over recent years, leading tech vendors, including Google and Microsoft, have partially or entirely phased out SMS authentication in favor of app or device-based 2FA.
The problem with SMS authentication is that SMS is not encrypted and is highly susceptible to social engineering scams and MiTM attacks. Attackers can even clone or swap user SIM cards to access OTPs. They can also trick phone services providers and users into disclosing secret authentication codes.
Secure alternatives to SMS authentication
Fortunately, there are several 2FA methods more secure than SMS, voice call, and even email; these are:
- Software or app authentication: Dedicated software linked to the 2FA system
- Hardware authentication: Personal devices or dedicated hardware
- Biometrics authentication: Face and fingerprint scans
- Security authentication keys: USB sticks and key fobs
Each of these two-factor authentication methods has unique pros and cons. But in general, they are all completely immune to social engineering scams, and the systems powering the authentication are heavily fortified to guard against attacks. Plus, they usually don’t involve any third parties — such as phone providers — minimizing the risks further. The only downside to this strategy is that it may be harder to implement and inconvenient to the user. However, that’s a small price to pay for online safety.
Dual-factor authentication is the safest and most practical way to secure online accounts, from email clients to cloud resources. Microsoft estimates that enabling 2FA blocks up to 99.9 percent of account hacks. However, 2FA only works if implemented correctly and with a robust verification infrastructure.
GB Tech can help your business adapt and run secure two-factor authentication systems for various use cases. Contact us and learn how you can leverage our IT expertise to safeguard your business and all its digital assets.