Stop Using Sms As Part Of Multi Factor Authentication Mfa

14 Jan 2021 - sj, tags: insights

In today’s security landscape passwords alone might not be sufficient to protect resources. One way to improve the authentication process is asking something else beyond the passwords.

Many products as well as several banks offer multi-factor authentication (MFA) as a method to increase security. One possible solution for the second factor is SMS or voice based.

However, a HelpNet article “Microsoft advises users to stop using SMS- and voice-based MFA” suggests that this is the least secure solution for the following reasons (quoted from the article):

• “Support agents at companies operating publicly switched telephone networks (PSTN) can be tricked, bribed or coerced by attackers into providing access to the victims’ SMS or voice channel (eg. via SIM swapping)”
• “PSTN networks are not 100% reliable, meaning the message or call may not come when needed”

Conclusion

We don’t have to discard MFA, instead we must swap the 2nd factor (ie. SMS or voice calls) to a Time based One Time Password (TOTP) solution. You may choose an app running on your smartphone, or you may even use a hardware token like Yubikey.

Fortunately, several applications support MFA authentication with TOTP. It’s a wake up call for banks to add support and replace the SMS code they use with a TOTP solution.

I believe that an email archive should also feature multi-factor authentication to improve security. Piler enterprise supports MFA + TOTP authentication scheme out of the box.