Still Using SMS Authentication? You Better Not Be

Abstract

You know your business needs multi-factor authentication, but chances are you see a lot of pushback from your employees because of how inconvenient it is for their work. In an effort to please everyone, you implement SMS authentication out of sheer convenience, but the innovation of SIM swapping means that this method of MFA is a vulnerability rather than a security solution. A hacker doesn’t need to steal your phone; they just need to trick a customer service representative at your mobile carrier to port your phone number to a new SIM card they control. If your second factor can be stolen so easily, what’s your business supposed to do?

Protect Against Attacks That Target MFA Fatigue

Attackers know that MFA is annoying for employees to deal with, which is exactly why they try to weaponize our own psychology against us. Once MFA fatigue settles in, employees might approve logins even if they don’t make sense. By then, it’s too late; the hackers are in and they’ve changed enough settings to lock everyone out for good.

We recommend you use authentication methods that avoid the risk associated with MFA fatigue entirely.

Use an Authenticator App for Localized Security

One step removed from the SMS is the time-based one-time-password apps that generate codes locally on the device’s hardware.

There’s no signal sent through a mobile carrier, meaning that it can’t be intercepted and swapped through the same process we outlined above. The code only exists on that specific device for 30 seconds; after that, it’s gone for good. This simple shift means you avoid 90% of the risks associated with mobile carriers.

If your team is already using smartphones, this is a simple upgrade that can be a serious improvement for your defenses.

Try Out Number-Matching Notifications

If a push notification is more your speed, we recommend you set up number-matching to go alongside it.

With this feature enabled, upon login, your team will see a random number on their computer screen. The employee will then receive a prompt on their phone to type in the number displayed. This means a hacker in another geographic location cannot see the number on your screen, and an employee can’t accidentally approve a login while their phone is in their pocket.

This method forces a conscious, manual action that makes sure the person logging in is who they claim to be—or at least the person holding the device.

Use FIDO2 Hardware Keys for High-Risk Users

Your business likely has an admin account for email, your payroll software, and even your bank, all of which should be protected by a physical hardware key.

These small USB or NFC devices follow the FIDO2 standard, allowing users to log in only when physically inserting a key into their laptop or tapping it against their phone. There’s no code to type and no notification to approve. All the user has to do is have their physical key in the vicinity.

These keys are neat in that they can detect fake phishing websites even if the user can’t; the hardware key knows that the URL is wrong and will refuse to provide the credentials, making it less likely to fall for tricks and traps.

NetMGM knows that security is a tough job, and that’s why we help small businesses like yours implement solutions to make it as easy as can be. Learn more today by calling us at 888-748-2525.