Should You Use SMS Two Factor Authentication?
Some of you read “People” because it’s fun. I read publications like “TechWorld” because well, it’s fun! And, so you don’t have to! In a recent report from the National Institute of Standards and Technology, the public has been advised to consider the abandonment of the SMS two factor authentication. Others, however, aren’t so sure this is the right step to prevent identity theft. Perhaps they were a little harsh in their report given all the benefits of what SMS has provided in terms of security? Let’s examine.
When you answer a message from someone, there is no doubt you want to be sure that this person is who they claim to be. In fact, most of us look at the phone number and rarely question what caller ID says, but even caller ID can be spoofed. And, as hackers become more prominent, they are finding more ways to spoof SMS two factor authorization, therefore it is crucial that we remain vigilant about protecting our information, and in many ways SMS two factor authorization continues to do so.
The Importance of Authorization
When it comes to authorization, you want to feel confident that only you have the ability to access your information. We know a simple username/password combo isn’t enough to keep criminals out of your accounts and help prevent identity theft.
How SMS Two Factor Authentication Works
With SMS two factor authentication, a secondary one time password is sent via text. In order for SMS two factor authentication to work, the following elements are required:
- Possession of a device or mobile phone
- A PIN and/or passcode or a retina or fingerprint to get into the device
- A username and password to access an online account
- A onetime SMS password sent via the website
All of this needs to be provided in order to gain access to a critical account, which has proven to be sufficient for most users.
This means that a hacker would require access the device, the PIN and/or password, username/password and onetime password in order to retrieve the information they are looking for. This would be considerably more difficult than only needing just the online account password. In essence, this reduces the probability that someone will be able to not only hack your password, but then hack your device to retrieve the PIN.
How Are Hackers Circumventing SMS Two Factor Authentication?
Man in the middle attacks:
- Hacker gets ahold of your username and password.
- Hacker tries to login and gets denied because of SMS two factor authentication.
- Hacker contacts you via phone, email or social media with a ruse requesting your onetime password.
- Hacker actually poses as you at a cell phone carrier’s brick and mortar store and gets a phone with your phone number.
Changing preregistered phone number:
- Hacker contacts/socially engineers a website that you have set up with SMS two factor authentication and they allow the hacker to make a change in the registered mobile number.
Increase in Confidence Among Users
When using the SMS two factor authentication, you do not have to be concerned if your password falls into the wrong hands because the criminal still needs your onetime password to get in. Companies who advertise this benefit have more chances of boosting their customer’s confidence and acquiring more interest in their products and services with this added security.
So, should you abandon two factor authentication for SMS? Not if you want to have an extra layer of protection. But as you can see, SMS two factor authentication is not fool proof. Over time, we will see more vulnerabilities and we will also see banks and others use additional measures of protection meant to protect us.
I’m confident in two things:
- Banks will figure out consumer friendly ways to keep us safe with an alternative to SMS two factor authentication.
- As an avid reader of the IdentityForce blog, you’ll be one step ahead of hackers as long as you continue to share and read these posts to maintain a level of cyber security smarts.
Latest posts by Robert Siciliano (see all)
- ISP Privacy Issues: ISPs are Selling Your Personal Info – Are You Prepared? - May 22, 2017
- How To Securely Erase Your Hard Drives & Devices - May 11, 2017
- 6 Social Engineering Scams To Avoid - April 17, 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013