SMS 2FA Isn’t Enough 

Keep Your Company Safe with Alternative Two-Factor Authentication Methods  

Both businesses and individuals have become much more wary in recent years about securing their technology after facing increasingly sophisticated cyberattacks. We’ve all come to know that compromised credentials are the leading cause of cyberattacks and data breaches as they are easily stolen through phishing attacks, malware, and brute-force attacks. That’s why, since the mid-2010s, biometric authentication techniques and multi-factor authentication (MFA) have become common in the workplace. 

Two-factor authentication (2FA) is the most common type of MFA, requiring users to provide two separate forms of identification for verification. This is typically done through a combination of something the user knows, like a password, and a device the user owns, like a smartphone. Many of us automatically associate 2FA methods with protecting digital assets, however, this authentication method is also used to protect physical assets through strategies like ID badging or fingerprint scanning. 

One of the most common forms of 2FA is SMS two-factor authentication (SMS 2FA), where a code is sent to the user’s mobile phone via SMS text to verify their identity. While SMS 2FA is considered a relatively secure form of 2FA, it’s not without its flaws.  

2FA Is Vulnerable to SMS Interception   

One of the biggest security flaws with SMS 2FA is the possibility of SMS interception. This occurs when a malicious actor intercepts the SMS message containing the verification code. They then use this code to gain access to the user’s account even if they don’t know the password. This is done through techniques such as SIM swapping where the attacker takes control of the victim’s cell phone number.  

Two-Factor Authentication Is Vulnerable to Social Engineering  

SMS 2FA is also vulnerable to social engineering attacks. This occurs when a hacker tricks the user into giving them their verification code, either through a phone call or an email, by spoofing as a person or representative from an organization that you trust. For example, the cybercriminal might pretend to be from a bank or an online retailer and ask the user to provide their authentication code or one-time password for account security purposes.  

Delays in Receiving SMS   

Another issue with SMS 2FA is that there can be delays in receiving SMS codes. This is caused by network congestion, problems with the carrier, or other technical issues. The user is then unable to log into their account even if they know their password and are trying to do so from a trusted device.  

Given these security flaws, it’s important to consider passwordless forms of 2FA, such as app-based 2FA or hardware tokens. App-based 2FA works by using a code generator app (such as Microsoft Authenticator or Google Authenticator) on the user’s cell phone to generate a one-time passcode (OTP) for logging into their online accounts. This eliminates the possibility of SMS interception and reduces the risk of social engineering attacks.  

Hardware tokens, such as key fobs, work by generating a unique code that the user enters to log into their account. This eliminates the reliance on the user’s mobile device and reduces the risk of delays in receiving text messages.  

2FA Key Takeaways:  

  • Two-factor authentication requires two different authentication factors for identity verification 
  • SMS-based two-factor authentication contains several security flaws, including susceptibility to social engineering and the possibility of messages being intercepted  
  • Limitations of SMS two-factor authentication also includes delays in receiving messages  
  • Alternative forms of two-factor authentication, like hardware tokens or authenticator apps (e.g. Microsoft authenticator), reduce some risks associated with SMS 2FA  

Anders Technologyhas experience developing cybersecurity architecture to manage vulnerabilities and protect private information from falling into the wrong hands. Learn more about how our clients protect their businesses and assets from evolving cyber threats with our cybersecurity strategies or request a consultation with one of our technology specialists below. 

Request a Consultation
View all Blog Posts

Our firm provides this information for general educational guidance only and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. Podcasts posted by Anders CPAs + Advisors are not intended to be used and cannot be used by any individual or business, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided "as is," with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose. Please note that some content may be generated using artificial intelligence and is intended for educational and informational purposes only. In no way does listening, reading, emailing or interacting on social media with our content establish a professional relationship.