Waleed C | May 9th 2019
Here’s why you should not use SMS for Multi-Factor Authentication
In today’s world of cyber security threats, multi-factor authentication (MFA) is always a good idea, and is more secure than using just a password. However, not all MFA methods are created equal.
SMS (text message) is the default option for many services offering MFA. When authenticating using this method, you are asked to enter your username and password, followed by a code, which is sent to you by SMS. This helps prove that the person attempting to authenticate into the account is really you. Having the password for the account, and access to the mobile phone number associated with the account seemingly makes a good case that the person authenticating is the account owner.
A particularly determined attacker, however, can make use of the known vulnerabilities in SMS to get access to that MFA code, and still gain unauthorized access to an account.
It is not difficult to intercept SMS messages. It is also possible to call up a cell service provider, impersonate an account owner, and change the SIM card associated with an account. These are both particularly targeted attacks, but not difficult for someone who wants to make such an attack.
If you have the option, you should use an authenticator app such as Authy or Google Authenticator, or, even better, a physical key such as a Yubikey. However, if SMS is your only option for MFA, it is still a much better option than no MFA at all!
Many smartphones now have biometric verification capabilities. Whether that is a fingerprint scanner, an iris scanner, a retina scanner, facial recognition, or voice recognition, we are increasingly being given the option of a convenient and secure way to gain access into our devices. But how secure is it?
A public network is a dangerous place to access something like your bank data -- especially if there is someone who knows what they’re doing on that network.