Why You Shouldn’t Use SMS for Multi-Factor Authentication
Importance of Multi-Factor Authentication
Multi-factor authentication (MFA), or two-factor authentication as it was formerly known, is crucial because it ensures your security is not dependent just on your password.
It is why you are able to rely on additional elements, like your face, fingerprint, etc.
Since practically everyone has a mobile phone and managing one is a bit simpler for developers, SMS is the most popular second factor… and least secure.
Don’t get me wrong if you use SMS as your MFA, it is better than nothing. However, it is much safer to use an authenticator app or a physical security key.
So, without further a due, here are 5 arguments against using SMS for Multi-Factor Authentication.
1. Your SMS and Voice Calls are NOT Encrypted
SMS messaging is sent in clear text and are easy for bad actors to intercept.
These hackers have access to things like software-defined radios, FEMTO cells and SS7 intercept services that they use to access these texts.
2. SMS Codes are a Target for Phishing Scams
There are tools out there like one by the name Modlishka, with the sole purpose of mimicking sites you thought you were on to get your info.
They can collect your data so quickly you may never realize it happening.
Similar phishing tools go by the names Evilginx and CredSniper. The names say is all.
Luckily if you use a YubiKey or something similar, you are less susceptible to these attacks.
3. Staff of Phone Providers are Easily Manipulated
Phone providers hire normal people. They are all not technical wizards.
And these attackers are well aware of this.
The attackers can trick employees into changing the phone number to their own SIM card, meaning when you request a security code, it will go to them and not you.
4. Inevitable Outages
Security keys and most authentication apps function offline. SMS on the other hand, requires phone service to work.
We’ve seen plenty of times, especially in Los Angeles where you can still have internet when you either don’t have service or the phone lines are down.
5. The Reality is SMS is Not Going to Get Any More Secure
There are no technical plans to secure SMS any more than it is. Tech giants are focused on other means of cybersecurity.
So while multi-factor authentication becomes more popular and widespread, it has also become a target.
Attackers are going for the low hanging fruit. They know SMS is the weakest point of a MFA security system. It is the first accounts they will try to overtake.
Always Use Some Sort of MFA
Like I mentioned before, if utilizing SMS is your only option, it is better than not having any MFA.
We might explain why you shouldn’t use SMS for Multi-Factor Authentication, but we highly recommend against only using a password with no additional factors to secure your accounts.
I’m just here to inform you of these vulnerabilities so they can stay top of mind.
Consider the option of using an authentication software or, even better, a security key like YubiKey if you decide to do more for your accounts.
Check out our recent YouTube video talking about Microsoft’s Announcement to Disable Basic Auth.
If you want to find out more information about changing your password protection methods, feel free to book a time to chat with us via the Calendly link below. I’d be happy to discuss ways to optimize your company’s IT.
Click here to schedule a free 15-minute meeting with Stan Kats, our Founder and Chief Technologist.
STG IT Consulting Group proudly provides IT Service for Small to Medium Businesses in Greater Los Angeles. We’d love to see if we can help you too!