Why SMS Two Factor Authentication is Unsafe

Our dependence on technology has never been higher, especially during the pandemic. Due to much of the economy being shut for several weeks, people had to do their regular errands online such as shopping, banking, and general communication. These services all require you to generate an account meaning that you could have several accounts for different online services. At minimum it is recommended to use different and complex passwords across these accounts to prevent someone from being able to access all of your accounts with a single, easy-to-guess password. SMS two-factor authentication has quickly become the target of hackers attempting to intercept the authentication using a method called SIM swapping.

What is Two-Factor Authentication?

The password as we know it is dead. Two-factor authentication adds an extra layer of security to your online accounts such as Facebook, PayPal, banking, and email. This is done by externally verifying that it’s actually you signing in. The idea of authentication prevents anyone but you from logging into your accounts, even if they have your password.

1. The user logs in to their account with their user name and password.
2. If the credentials are correct, the user becomes eligible for the second factor.
3. The authentication server sends a unique code to the user’s second-factor device (mobile, smart watch etc.)
4. The user confirms their identity by approving the authentication from their second-factor device.

Traditionally, two-factor verification came via SMS with a code you would enter onto the website. However, a disturbing trend known as ‘SIM swapping’ or ‘SIM jacking’ has made two-factor authentication via SMS extremely unsafe. 

What is SIM Swapping?

There are other alternatives to authenticating via SMS such as Microsoft Authenticator and Duo Security. These authentication apps don’t rely on your phone carrier to authenticate as you receive a push prompt to verify from the app itself. Authentication apps are typically faster and also more secure as the prompts expire after 30-60 seconds. 

At first, the concept of authentication via SMS seemed logical to adding an extra layer of security to computers and online accounts however as SIM swapping continues to threaten the credibility of two-factor authentication we must adopt authentication apps as they are the safest alternative. 

What is Duo Security?

Duo Security is a cloud-based two & multi-factor authentication provider. This application uses internet connectivity to deliver login approval requests, this is a more secure method than receiving authentication via SMS. Duo Security actively involves the user in the process of remaining secure by encouraging the user question when prompted to authenticate “did I initiate this or is someone trying to access my account?”. Read more about Duo Security here.

What is a Zero Trust Network?

Zero trust requires a stringent identity verification for every user and every device attempting to access resources on a private network, regardless whether they are situated within or outside the network.

The general philosophy behind a zero trust security network assumes there are threats within and outside the network. Therefore, no users or devices are automatically trusted under the zero trust network.

Another aspect of the zero trust philosophy is least-privilege access. Essentially, this means users are only given as much access as required by the network administrator. This minimises each user’s access to sensitive information.

To speak about cyber security and business two-factor authentication today, call us on 1300 300 293.