Why You Shouldn't Use SMS for Multi-Factor Authentication - STG

Why You Shouldn’t Use SMS for Multi-Factor Authentication

We mention Multi-Factor Authentication quite a lot. This is because it is basically the easiest thing someone can implement to protect your data from cyber threats. Unfortunately, most people choose the text-to-verify option. Here’s why you shouldn’t use SMS for multi-factor authentication. 

Importance of Multi-Factor Authentication

Multi-factor authentication (MFA), or two-factor authentication as it was formerly known, is crucial because it ensures your security is not dependent just on your password.

It is why you are able to  rely on additional elements, like your face, fingerprint, etc. 

Since practically everyone has a mobile phone and managing one is a bit simpler for developers, SMS is the most popular second factor… and least secure.

Don’t get me wrong if you use SMS as your MFA, it is better than nothing. However, it is much safer to use an authenticator app or a physical security key. 

So, without further a due, here are 5 arguments against using SMS for Multi-Factor Authentication.

1. Your SMS and Voice Calls are NOT Encrypted

SMS messaging is sent in clear text and are easy for bad actors to intercept. 

These hackers have access to things like software-defined radios, FEMTO cells and SS7 intercept services that they use to access these texts.

2. SMS Codes are a Target for Phishing Scams 

There are tools out there like one by the name Modlishka, with the sole purpose of mimicking sites you thought you were on to get your info.

They can collect your data so quickly you may never realize it happening.

Similar phishing tools go by the names Evilginx and CredSniper. The names say is all. 

Luckily if you use a YubiKey or something similar, you are less susceptible to these attacks.

3. Staff of Phone Providers are Easily Manipulated 

Phone providers hire normal people. They are all not technical wizards.

And these attackers are well aware of this. 

The attackers can trick employees into changing the phone number to their own SIM card, meaning when you request a security code, it will go to them and not you. 

4. Inevitable Outages 

Security keys and most authentication apps function offline. SMS on the other hand, requires phone service to work. 

We’ve seen plenty of times, especially in Los Angeles where you can still have internet when you either don’t have service or the phone lines are down. 

5. The Reality is SMS is Not Going to Get Any More Secure 

There are no technical plans to secure SMS any more than it is. Tech giants are focused on other means of cybersecurity. 

So while multi-factor authentication becomes more popular and widespread, it has also become a target. 

Attackers are going for the low hanging fruit. They know SMS is the weakest point of a MFA security system. It is the first accounts they will try to overtake. 

Always Use Some Sort of MFA

Like I mentioned before, if utilizing SMS is your only option, it is better than not having any MFA. 

We might explain why you shouldn’t use SMS for Multi-Factor Authentication, but we highly recommend against only using a password with no additional factors to secure your accounts. 

I’m just here to inform you of these vulnerabilities so they can stay top of mind. 

Consider the option of using an authentication software or, even better, a security key like YubiKey if you decide to do more for your accounts. 

Check out our recent YouTube video talking about Microsoft’s Announcement to Disable Basic Auth.

If you want to find out more information about changing your password protection methods, feel free to book a time to chat with us via the Calendly link below. I’d be happy to discuss ways to optimize your company’s IT.

Click here to schedule a free 15-minute meeting with Stan Kats, our Founder and Chief Technologist.

STG IT Consulting Group proudly provides IT Service for Small to Medium Businesses in Greater Los Angeles. We’d love to see if we can help you too!


Leave a Reply

Your email address will not be published. Required fields are marked *