MFA isn’t always secure
Multifactor authentication (MFA), is a method of identifying legitimate users before granting them access. MFA requires that users provide valid credentials and at least two forms of authentication.
This means that users must provide correct usernames and passwords. Next, the user will need to provide additional proof such as a verification code or a physical object that only a legal user can possess.
MFA forms that are susceptible to security threats may not be used for their intended purpose. This includes text message verification of MFA.
SMS and MFA
One of the most widely used methods for authenticating users is SMS in MFA. Google and Microsoft, two of the world’s most prominent companies, often send verification codes to users using numbers that are linked to multiple accounts. Once the code is submitted, access will be granted to the user.
Many people may not be aware of the serious security risks associated with SMS-based MFA. Voxox, a San Diego-based communications company, failed to protect a database that contained over 10 million messages without a password. The database was leaked and anyone could view real-time messages using two-factor verification codes for Google and Microsoft. Imagine a malicious individual having access to such a data base.
SIM Swap Attacks
An SMS-based MFA can also be insecure because of the ease at which a SIM Swap Attack can be carried out. SIM Swap attacks don’t require any specialization. Anyone with the required information can execute them with no difficulty. A SIM Swap request can be made by calling the carrier with a target SIM holder’s social security number. You can request authentication codes that give an attacker access to all accounts using the new SIM.
Network Security Flaws
Many security flaws in the SS7 network, which is used by most carriers to manage text and call management, can easily be exploited. Hackers can intercept messages sent from or to your device via the SS7 network. Hackers can use SS7 portals to send all messages intercepted to online devices, before rerouting them back to their original destinations. It is possible to intercept and even use a verification code before its owner.
Jonathan Zdziarski, a forensic expert, argues that text messaging is not the best MFA method. He said that “mobile phone can be socially engineered from your control”. The National Institute of Standards and Technology (NIST), has discouraged companies from using MFA based upon text messages. NIST and other leading organizations advocate for secure alternatives to SMS messages. These include dedicated MFA apps like RSA SecurID, Google Authenticator, and dedicated secure devices such as e.g. dongle.