Multifactor authentication (MFA) is a security solution that identifies users via two or more verification factors when logging in to their online account. These factors typically include:
- Something they have, like a one-time passcode (OTP) sent to a smartphone
- Something they know, like a password
- Something they are, like a fingerprint or retinal scan
MFA is an ideal way to protect user accounts from cyberattacks. According to a recent study, MFA adoption and spending has increased because of the growing threat of phishing attacks and the rise of work from home arrangements due to the pandemic.
The dangers of SMS authentication
One of the most commonly used MFA factors is SMS authentication, which involves users verifying their identity by inputting a one-time code sent via a text message to their mobile number. But while it is convenient, it is not a secure authentication method. In fact, Microsoft is urging companies to move away from SMS authentication.
Why is this so? Let’s take a look at two main risks of using it:
1. SIM swapping
SIM swapping involves hackers calling a mobile carrier and pretending to be a subscriber who has damaged or lost their SIM card. They will ask the carrier to transfer the victim’s mobile number to their own SIM card, granting them access to OTPs and password reset links sent via text messages.
SIM swapping is an effective way to bypass SMS authentication. In fact, in April 2020, a man in London fell victim to it, which resulted in the attacker spending £13,000 in over 48 hours. And in April 2019, the Twitter account of Twitter CEO Jack Dorsey was used to post offensive content after hackers gained control of his mobile number.
2. SMS Spoofing
In an SMS spoofing scheme, cybercriminals send text messages under a forged mobile number, making it look like the message came from a reputable source.
For instance, fraudsters can pretend to be a bank employee and ask a customer to provide the OTP the latter will shortly receive. Thereafter, the cybercriminal will trigger an MFA request while attempting to access the victim’s online bank account. If the victim provides the code, the hacker will gain access to the account.
What are the alternatives to SMS authentication?
While the National Institute of Standards and Technology recognizes SMS as a valid authentication channel, it says that the mobile number used must be associated with a specific physical device to mitigate security risks. It’s also a good idea to use more secure MFA methods that can better protect online accounts, including:
1. Hardware authentication
This refers to security systems that use physical devices to verify a user’s identity. Some examples are:
- USB security keys: These are devices that you can plug into a computer for authentication. This improves security because the user must also possess the security key aside from knowing the password.
- Facial recognition: Facial recognition technology uses unique algorithms to map facial features from a video or photograph. It then compares the data with a list of known faces to find a match.
- Fingerprint recognition: Fingerprint scanners work by capturing the patterns of ridges and valleys on one’s finger. The data is then processed by the device’s pattern matching software, which compares it to a list of registered fingerprints. If a match is found, a user is granted access to a system.
2. Software authentication
Software authentication verifies the identity of users via codes generated on apps like Google Authenticator, Microsoft Authenticator, or Authy. This method relieves users of having to carry a hardware authenticator and does not rely on a mobile network or internet connection, eliminating the security risks that come with SMS authentication.
3. IP-based authentication
IP-based authentication allows businesses to allow logins only from trusted IP addresses and block potentially malicious ones. It can be combined with other authentication factors to strengthen account security. For example, if a login attempt is detected in an unknown or untrusted location, a system can prompt for further authentication before granting access.
Need help securing your data from cyberthreats? Complete Document Solutions can help. We will not just ensure peak performance of your IT infrastructure, but we will also protect your data using the most secure authentication methods. To learn more about how partnering with a managed IT services provider like us can help, download our FREE eBook today.