Both businesses and individuals have become much more wary in recent years about securing their technology after facing increasingly sophisticated cyber-attacks. Security measures like two-factor authentication (2FA) help ensure there’s no unauthorized access to your organization’s network. One common form of 2FA, SMS 2FA, has a number of security flaws associated with it, making it imperative to consider alternative methods of 2FA outside of SMS verification.
Key Takeaways:
- Two-factor authentication requires two different authentication factors for users to log into their account
- SMS-based two-factor authentication contains a number of security flaws, including susceptibility to social engineering and the possibility of messages being intercepted
- Limitations of SMS two-factor authentication also include delays in receiving messages
- Alternative forms of two-factor authentication, like hardware tokens or app-based 2FA, can reduce some risks associated with SMS 2FA
Two-factor authentication is a security measure that requires users to provide two different authentication factors to log into their account. This is typically done through a combination of something the user knows, like a password, and a device the user owns, like a mobile phone. One of the most common forms of 2FA is SMS two-factor authentication (SMS 2FA), where a code is sent to the user’s cell phone via SMS to verify their identity. While SMS 2FA is considered a relatively secure form of 2FA, it’s not without its flaws.
Vulnerable to SMS Interception
One of the biggest security flaws with SMS 2FA is the possibility of SMS interception. This occurs when a malicious actor intercepts the SMS message containing the verification code. They can then use this code to gain access to the user’s account even if they don’t know the password. This can be done through techniques such as SIM swapping where the attacker takes control of the victim’s cell phone number.
Possibility of Social Engineering
SMS 2FA can also be vulnerable to social engineering attacks. This occurs when a malicious actor tricks the user into giving them their verification code, either through a phone call or an email, by posturing as a person or representative from an organization that you trust. For example, the attacker might pretend to be from a bank or an online retailer and ask the user to provide their verification code for security purposes.
Delays in Receiving SMS
Another issue with SMS 2FA is that there can be delays in receiving the SMS message containing the verification code. This can be caused by network congestion, problems with the carrier, or other technical issues. This can result in the user being unable to log into their account even if they know their password and are trying to do so from a trusted device.
Given these security flaws, it’s important to consider alternative forms of 2FA, such as app-based 2FA or hardware tokens. App-based 2FA works by using a code generator app on the user’s cell phone to generate a one-time code for logging into their account. This eliminates the possibility of SMS interception and reduces the risk of social engineering attacks.
Hardware tokens, such as key fobs, work by generating a unique code that the user enters to log into their account. This eliminates the reliance on the user’s cell phone and reduces the risk of delays in receiving SMS messages.
Anders Technology has experience developing cybersecurity architecture and strategies to manage vulnerabilities and protect private information from falling into the wrong hands. Learn more about how we can protect your business from evolving cyber threats and the associated fees by contacting Anders below.
All Insights
FAQs
Vulnerable to SMS Interception
Why is 2FA no longer safe? ›
Even if the user doesn't respond to a push login request or doesn't enter a One-Time Password (OTP) when prompted, a hacker still knows they have a working password now; how, because the delay for the denied message takes longer... Most of us know where this is going; the hacker is persistent in their login attempts.
Is there a better 2FA than SMS? ›
Authenticator apps generate 2FA codes locally on a device, rather than sending them unencrypted over text message. The 2FA codes in authenticator apps also change every 30 to 60 seconds, which makes them difficult for cybercriminals to steal. SMS authentication sends 2FA codes unencrypted over text message.
Why not SMS for MFA? ›
Lack of Encryption: SMS messages are not encrypted, and as a result, they can be intercepted and read by attackers. If the SMS message contains sensitive information, such as a six-digit authentication code, it can be used by attackers to gain access to the targeted account.
What are the disadvantages of SMS 2FA? ›
While SMS-based MFA is a popular method, it also comes with several risks and limitations. One of the primary dangers of using SMS for MFA is the potential for interception. SMS messages are not encrypted, and attackers can intercept them using various techniques, including phishing, malware, and SIM-swapping attacks.
Why is SMS 2FA not secure? ›
This is because SMS messages are not encrypted and rely only on the security of phone networks and companies–which are notoriously easy to access. Another way they can get into your messages is by tricking you into installing malware on your device.
Why is 2FA not enough? ›
Vulnerable to SMS Interception
One of the biggest security flaws with SMS 2FA is the possibility of SMS interception. This occurs when a malicious actor intercepts the SMS message containing the verification code. They can then use this code to gain access to the user's account even if they don't know the password.
Why is SMS less secure than the authenticator app? ›
As mentioned before, SMS messages can be intercepted or redirected, whereas authenticator apps generate codes locally on your device, making them much harder for a potential attacker to access.
Which is the strongest 2FA method? ›
Hardware security keys like YubiKey provide the most secure form of two-factor authentication. Unlike SMS or authenticator apps which can be phished, hardware keys offer phishing resistant authentication by requiring physical possession of the key.
What are the advantages of SMS 2FA? ›
SMS 2FA provides additional protection by requiring a short one-time password to be sent to the user via text message. This one-time password is necessary to log in and access the user's account. It adds an extra layer of security beyond the standard password and login protection.
Microsoft will no longer support SMS for certain types of sign-ins, including sign-ins from new devices and sign-ins that require multi-factor authentication. This is being done to improve security and reduce the risk of unauthorized access.
What is the problem with SMS authentication? ›
The main risks include: Interception of SMS messages: SMS messages are unencrypted and can be intercepted by attackers. Mobile network dependency: Outages can prevent receiving authentication codes. SS7 vulnerabilities: Though less common now, attackers can exploit the SS7 protocol to intercept messages.
Why won't SMS verification work? ›
Causes of Not Receiving Verification Code Texts on Android
You provided the wrong phone number. Your inbox is full. Your phone is set to block messages from unknown senders. Your phone carrier is blocking the message.
Is SMS 2FA better than no 2FA? ›
While SMS-based 2FA is better than no 2FA at all, authenticator apps have the edge because they provide stronger safeguards against threat actors looking to hack into your online accounts.
Can SMS 2FA be spoofed? ›
Once you have entered your password, an authentication code is sent via text message to your mobile device, which you can then enter on the website or application to complete the authentication process. Scammers can get around SMS-based 2FA by using social engineering to get you to send them your code.
Is SMS safe for authentication? ›
The use of SMS-based authentication is no longer sufficient to protect against account takeover attempts. While it may be a convenient and easy-to-use method of authentication, it is not secure.
Why shouldn't you use 2FA? ›
There are several reasons why email, as a method of two factor authentication, should not be a secure second factor. If a malicious user gains access to your email account, they can perform a forgotten password action to gain a new password and then receive the two-factor code in the same email account.
Can you still be hacked with two-factor authentication? ›
Two-factor authentication is a powerful security measure, but it is not impervious to hacking attempts. Hackers have devised various techniques to bypass 2FA and gain unauthorized access to user accounts.
What is the problem with 2FA? ›
Criminals can call users and pose as banks or trusted agents and ask to confirm the passcode that was sent to them, or provide links to spoofed websites through phishing attacks. They can also pose as users and contact cell phone carriers in an attempt to carry out a SIM cloning attack.
Why is 2FA invalid? ›
If you enter a 6-digit 2FA (2-factor authentication) code correctly within the 30-second time limit and still encounter a “2FA Google Auth is invalid” error, it could be that your 2FA application is not properly synchronized with your device's time zone settings or the network time.
