Should We Allow SMS Text Messages as a 2FA Method?

Uriah Berry

Cyber crime is growing exponentially, and it’s becoming more expensive for businesses. As cyber threats evolve, what used to be a good security control – a strong password – is no longer enough.

Enter two-factor authentication (2FA). 2FA is a security measure that adds an extra layer of protection to your accounts. Many cyber insurance companies require it, and you’ve probably used it for some of your accounts, such as your email or bank.
But is every 2FA method created equal? And should you allow SMS text messages as a 2FA method? Let's dive in.

What is SMS 2FA?

Before answering the question at hand, let’s first review. Two-factor authentication (2FA) is a security measure that requires two types of credentials before granting access to an account. It falls under the umbrella of multifactor authentication (MFA).
One of the most popular 2FA methods is a SMS text message sent to your mobile device.
The two factors are a password + a code. You enter your password (something you know), and then you receive a text message with a code (something you have) that you also need to enter.

Is SMS 2FA Secure? 

While that’s a popular method, it begs the question: is SMS 2FA secure? The answer is not as straightforward as you might think. On the one hand, SMS 2FA does add an extra layer of security, making it harder for cybercriminals to access your account. Setting up 2FA can block 99.9 percent of automated cyber attacks.
On the other hand, it's not the most secure 2FA method out there, and 0.01% is a bigger vulnerability than it might seem at first glance, and it rises to 24 percent for targeted attacks.
With the more organizations moving to SaaS platforms, like Microsoft 365 and Salesforce for example, bad actors can easily cast a wider net in their attacks and get a better return on minimal efforts.
Why? Because SMS messages can be intercepted.
Cybercriminals can use tactics like SIM swapping or man-in-the-middle attacks to gain access to your text messages. Not too long ago, a hacker showed they could access someone’s text messages for as little as $16.
Imagine it like this: you're passing a note in class, but before it reaches its intended recipient, the class bully intercepts it and reads it. That's essentially what's happening with these types of attacks.

Is SMS 2FA Better Than Nothing? 

Despite its vulnerabilities, is SMS 2FA better than no 2FA at all? In most cases, the answer is yes. Having an extra layer of security is generally better than relying solely on a password. It's like having a second lock on your front door. Even if it's not the strongest lock, it's still going to deter some burglars.
Unfortunately, only 13% of employees at small to medium businesses (SMBs) have mandatory 2FA, which creates major vulnerabilities for these companies.

2FA Best Practices — What We Recommend to Clients

When it comes to implementing and managing 2FA, here are some of the best practices and tips we recommend to our clients:

Integrate your MFA platform with a Single Sign-On solution

This is a crucial step in streamlining the authentication process. Single Sign-On (SSO) solutions allow users to authenticate once and gain access to all systems without needing to log in again. This not only improves user experience but also reduces the risk of password fatigue, which can lead to insecure practices like password reuse.

Encourage users towards using a mobile app as a 2FA method

Mobile apps that support push notifications are generally more secure than SMS. These apps generate codes offline, reducing the risk of interception. Think of it like a secret handshake versus a loud announcement; the former is much harder for eavesdroppers to catch.

Be prepared to supply users with a secure 2FA method, such as a hardware token or USB security key 

For those resistant to installing an app on their phone, hardware tokens or USB security keys provide a secure alternative. These physical devices generate a code that users can input for authentication, acting as a digital version of a physical key.

Prioritize 2FA for external services and privileged access 

If you're just starting out with 2FA, focus on implementing it for external services such as email and Remote Access VPN first. Next, prioritize 2FA for privileged access to various applications. This approach is like fortifying the doors and windows of your house before worrying about the locks on your interior doors.

 Prepare for the future by positioning your organization to disable SMS 2FA 

While SMS 2FA is better than no 2FA, it's the weakest 2FA method. As cyber threats evolve, it's important to stay one step ahead. By nudging users towards more secure 2FA methods now, you can smoothly transition away from SMS 2FA in the future, without disrupting operations.

Perform security assessments on specific applications

Regular security assessments can help identify potential gaps where bad actors could bypass 2FA. This is akin to a regular health check-up; it helps you catch potential issues early before they become major problems.

However, the journey towards robust cybersecurity doesn't end with the implementation of 2FA. It's a continuous process that requires vigilance, adaptation, and a commitment to staying one step ahead of evolving threats.

At Katalyst, we're here to guide your organization on this journey. We offer consulting services and professional service implementations to enhance access security.

Our approach is centered on promoting secure 2FA methods and providing users with the necessary tools for a seamless transition. This includes training for IT staff and end-user help desks, ensuring they're equipped to support the workforce in this critical cybersecurity endeavor.

Learn more about our Security Analysis & Roadmap in this video.  

Uriah Berry

Consulting Engineer Uriah is a sought-after expert for his knowledge and experience in technology. As a Security Consulting Engineer at Katalyst, he spends his time advising business leaders on tactical and strategic solutions to reduce cybersecurity risk, in addition to delivering security solutions and technologies that solve business challenges.