Why your business shouldn’t use SMS authentication

Why your business shouldn’t use SMS authentication

Multifactor authentication (MFA) is a security protocol that identifies users through two or more verification methods when they log in to their account. It is currently one of the best ways to protect online accounts from cyber attacks. In fact, the MFA market is expected to reach $28.34 billion by 2026 and grow 17.8% annually within the next five years.

The dangers of SMS authentication

One of the most common MFA methods is SMS authentication, which asks a user to input a one-time code sent via a text message to their registered cell phone number to verify their identity. It is a common security feature in many online services today, and is even being used in the workplace as an identity verification method.

But while SMS authentication is one of the easiest ways to implement MFA, it is not one of the most secure. In fact, in light of the rise of recent data breaches, the National Institute of Standards and Technology no longer considers SMS authentication secure. Even Microsoft is discouraging its users from using this authentication method.

Why is SMS authentication insecure? Let’s take a look at two main risks:

1. Spoofing

SMS spoofing involves text messages wherein the sender’s mobile number is forged, making a text message seem to come from a trusted source.

While there are some legitimate uses for SMS spoofing, cybercriminals can take advantage of it to impersonate another entity. For instance, cybercriminals can pretend to be from a bank and send you a text message asking for a security code. At the same time, the hacker will trigger an MFA request on your online bank account. If you provide the code, the hacker will gain access to the account.

Unfortunately, there are not currently ways of validating that a text message came from whom you think it did, making it easy to trick users into sending one-time login codes. Following best practices to prevent phishing isn’t enough to justify using SMS authentication either, as a hacker with basic information about a victim can sometimes use this information to gain access to their account.

Related article: Top 5 password mistakes you should stop making

2. SIM-swapping

In a SIM-swapping scheme, hackers call a cell phone carrier and pretend to be a subscriber who has damaged or lost their SIM card. The hackers will then ask the customer service representative to transfer the target’s mobile number to a SIM card in their possession, giving them access to the victim’s one-time SMS codes and password reset links sent via text message.

SIM-swapping is an effective way to circumvent SMS authentication. In fact, back in August 2019, hackers gained control of Twitter CEO Jack Dorsey’s Twitter account through his phone number. The fraudsters went on to post offensive messages before Dorsey regained control of the account.

Alternatives to SMS authentication

Fortunately, there are MFA methods that can better protect our online accounts, such as:

1. Hardware authentication

Hardware authentication refers to security systems that use hardware to verify a user’s identity and grant them access to an account. These include:

  • USB security keys: USB security keys are devices that you can plug into a computer's USB port for authentication. This adds a layer of security as the user must not only know the password, but they must also possess the security key.
  • Fingerprints: This form of biometric authentication enables users to access their accounts by scanning an image of their fingerprint. Modern fingerprint scanning relies on mobile and other device sensing technology as these are more accurate than software-based algorithms.
  • Facial recognition: Facial recognition uses facial biometric data to verify a user’s identity. Unlike passwords or email verification, facial recognition uses unique mathematical and dynamic patterns, making it one of the more secure authentication methods today.

2. Software authentication

Software authentication employs the same principle as hardware authentication, but it generates token codes using a mobile app instead of a physical device. Popular mobile authentication apps include Google Authenticator and Microsoft Authenticator. This method does not rely on a mobile network, eliminating the risks that may come with SMS authentication.

3. IP-based authentication

IP-based authentication method checks the user’s IP address upon login. It allows you to block potentially malicious IP addresses, or only allow logins from trusted IP addresses and ranges. IP-based authentication can be combined with other authentication factors to improve account security. For example, some services will prompt for further authentication when attempting to log in from an unknown or untrusted location.

Your data needs to be protected using the most secure authentication methods. Fidelis’ Business Data Protection solutions offers 24/7 data monitoring and management as well as regular data backups so you're prepared for any disaster. To learn more about how to protect your online accounts, download our FREE eBook today.


Need help protecting your business from data breaches? Let our FREE eBook show you the way.Learn more here