Using SMS as an additional means to authenticate your password is better than nothing, but it’s not the most reliable. Tom Merritt lists five reasons why SMS should not be used for MFA.
Multi-factor authentication (MFA), or as we used to call it two-factor authentication, is essential–it means you don’t rely on your password alone for security. That password is something you know, but with MFA you also rely on other factors, like something you are (your face, fingerprint, etc.), or something you have, like a security key. SMS is the most frequently-used additional factor because almost everybody has it and it’s a little easier to manage for developers, but it’s also the least secure. While it is better than nothing, it’s much more secure to use an authenticator app or a physical security key. Here are five reasons not to use SMS for MFA.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
- SMS and voice calls are not encrypted. Instead, they’re transmitted in clear text making them easier to intercept. Determined attackers have access to a wealth of tools, from software-defined radios to FEMTO cells to SS7 intercept services.
- SMS codes are vulnerable to phishing. A tool called Modlishka uses actual content from the site it’s mimicking to get you to enter your info and dumps you out on that site at the end so you don’t even realize you were there. CredSniper and Evilginx are similar phishing tools. A YubiKey or similar isn’t vulnerable to this attack.
- Phone company employees can be fooled. Attackers can trick an employee into transferring a phone number to the attacker’s SIM card, meaning the security codes get sent to them instead of you.
- Outages. Authentication apps and security keys work offline. SMS needs the phone service to be available to work and sometimes the phone system can go down when the internet does not.
- SMS isn’t likely to get more secure. As multi-factor authentication becomes more common, more attackers will target it. Attackers usually target the weakest link in security and with MFA, SMS is the weakest link.
All that said, if SMS is your only option, use it! Having SMS on as multi-factor authentication is still better than having no other factors and just relying on a password. If you have the option, you might want to go with an authentication app or, even better, a security key like a YubiKey.
Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.