Risks of Using SMS for Two-Factor Authentication - 365 Technologies Inc. (2024)

FAQs

Risks of Using SMS for Two-Factor Authentication - 365 Technologies Inc.? ›

One of the primary dangers of using SMS for MFA is the potential for interception. SMS messages are not encrypted, and attackers can intercept them using various techniques, including phishing, malware, and SIM-swapping attacks.

The main risks include: Interception of SMS messages: SMS messages are unencrypted and can be intercepted by attackers. Mobile network dependency: Outages can prevent receiving authentication codes. SS7 vulnerabilities: Though less common now, attackers can exploit the SS7 protocol to intercept messages.

Risks Associated with SMS-based MFA:

SMS-based MFA is vulnerable to various types of attacks, making it less secure than other MFA methods. The lack of encryption on SMS messages, the risk of SS7 attacks, social engineering, and SIM-swapping are significant risks associated with SMS-based MFA.

SMS has long been regarded as a vulnerable communications protocol by security experts—but where 2FA is concerned, the biggest danger is with the possibility of SIM-swapping attacks. In a SIM swap, the bad guys trick cellular carriers into transfering a phone number to a SIM card that they control.

The main weakness of SMS is its lack of encryption. This means that sending any sensitive information via SMS is risky, because it could be intercepted. Therefore, it's preferable to send sensitive or private information over an end-to-end encrypted messaging service.

One of the biggest cons of texting is that it can be emotionless. You don't get to hear someone's tone of voice or see their facial expressions, which can lead to misunderstandings. Additionally, some people use text messaging as a way to avoid difficult conversations, which can create even more issues.

Enterprise SMS Vulnerabilities You Need to Be Aware Of

For instance, an attacker may intercept an SMS message – typically containing sensitive data like a one-time password (OTP) or a two-factor authentication (2FA) message – while the user is roaming.

Microsoft will no longer support SMS for certain types of sign-ins, including sign-ins from new devices and sign-ins that require multi-factor authentication. This is being done to improve security and reduce the risk of unauthorized access.

Once you have entered your password, an authentication code is sent via text message to your mobile device, which you can then enter on the website or application to complete the authentication process. Scammers can get around SMS-based 2FA by using social engineering to get you to send them your code.

As mentioned before, SMS messages can be intercepted or redirected, whereas authenticator apps generate codes locally on your device, making them much harder for a potential attacker to access.

Why should you stop using SMS for two-factor authentication? ›

Even if the user doesn't respond to a push login request or doesn't enter a One-Time Password (OTP) when prompted, a hacker still knows they have a working password now; how, because the delay for the denied message takes longer... Most of us know where this is going; the hacker is persistent in their login attempts.

2FA can be vulnerable to several attacks from hackers because a user can accidentally approve access to a request issued by a hacker without acknowledging it. This is because the user may not receive push notifications by the app notifying them of what is being approved.

One of the biggest problems with MFA is that it can be hacked. As seen in the last section, SMS and voice-based one-time passwords (OTPs) are incredibly vulnerable to phishing attacks, as they can easily be intercepted by a malicious actor.

SMS attacks, in particular, pose a significant threat to all mobile users. SMS attacks involve the creation and distribution of malware by cybercriminals designed to target a victim's mobile device.

Better Security: Text messages are considered to be more secure than email because they are encrypted end-to-end. This means that the message is only accessible by the sender and recipient, making it a more secure method of communication for sensitive information.

Drawbacks you may encounter

The most common reason for this can be the lack of a modern phone or any other gadget that would support such a feature. Problems due to loss of access to one of the authentication factors. This can make it difficult to access a personal account and take some time to solve it.

The main disadvantage of using one-time passwords is that some users may find it to be an inconvenience. Less tech-savvy users may, for example, see the OTP process as confusing or unnecessary, and may need an explanation of its full advantages. A user may also be unable to access the OTP.

Another common 2FA vulnerability is SIM swapping, which is a form of identity theft that involves transferring a user's phone number to a new SIM card controlled by a hacker. This way, the hacker can intercept any 2FA codes sent via SMS or phone call to the user's phone number, and use them to access their accounts.

One of the biggest problems with MFA is that it can be hacked. As seen in the last section, SMS and voice-based one-time passwords (OTPs) are incredibly vulnerable to phishing attacks, as they can easily be intercepted by a malicious actor.