Multifactor authentication (MFA) has been acclaimed as an effective technique for identifying legitimate system users before granting access. MFA is a secure mechanism that requires users to provide at least two types of correct authentication alongside the valid credentials. This means that a user has to provide a correct username and password, and then provide another form of proof like a verification code or use a physical object which only a legitimate user can possess. Whereas it is a secure mechanism for validating system users, some forms of MFA are vulnerable to security threats and may not serve the intended purpose of providing access only to the authorized users. Such include using text messages for MFA verification.
Use of SMS in MFA is one of the most popularly used means for authenticating users. Industry leaders like Google and Microsoft often send verification codes using phone numbers linked to different accounts, and upon submitting the correct code, a user is granted access. However, what many individuals may be unaware of are the serious security threats of using SMS-based MFA. For example, a leading communications company based in San Diego, Voxox, failed to secure a database housing over ten million messages with a password. The database was leaked and among others, anyone could access real-time messages with two-factor verification codes for Google, Microsoft and Huawei IDs. Imagine a malicious individual with access to such a database.
Also, an SMS-based MFA is insecure due to the ease with which a SIM Swap attack can be executed. A SIM Swap attack actually does not require one to possess any expertise as an individual with the necessary information can do it with ease. In a country like the U.S., a social security number of the targeted SIM holder can be used to request for a SIM Swap with one phone call to the carrier. The new SIM can be used to request authentication codes providing an attacker direct access to all accounts.
The SS7 network used by most carriers for text or call management has numerous security flaws that can be easily exploited. SS7 networks can be breached allowing a hacker to intercept any message sent to or from your device. SS7 portals, for instance, can allow a hacker to forward all intercepted messages to online devices before rerouting them to the original destinations. As such, it is possible to intercept and use a verification code even before the owner can use it.
Zdziarski, a forensics expert, also argues that using text messages isn’t the
best MFA approach, stating that “mobile phone as a means of authentication can
be socially engineered out of your control”. This and other
vulnerabilities has led the National Institute of Standards and Technology (NIST)
to discourage companies from using MFA based on text messages. Rather than
using SMS messages, NIST and leading organizations advocate for the use of
other more secure means like dedicated MFA apps such as RSA SecurID and Google
Authenticator and dedicated secure devices e.g. dongle.