Do you know your MFA from your SMS?

This time last year, we were writing about multi-factor authentication as the security solution that too few people were using. And we are sure that, in the last twelve months, if you haven’t started using it at work, you will be using it at home for your banking, or something similar. It has become familiar to us all.

We’ve launched many customers into regular MFA use in the last year. Our experience is that, at first, many businesses are reluctant to roll out MFA across all their users – they perceive it to be hard to manage and an extra step that slows access to work. And, in our real-world experience, they are pleasantly surprised by how easy it is to roll out, and how quickly users adapt to entering a pass code every now and again.

So, if you are still putting off activating MFA, please don’t put it off any longer.

No alt text provided for this image

But this is not the end of the story. Two facts:

  1. Not all MFA solutions are created equal
  2. Cyber criminals are still trying to get to your data

If you are using a system that sends an SMS text passcode to authenticate users – well done. This is much better than a simple, single-step password access.

But it is not perfect, of course (perfect protection is an ever-elusive goal).

Those shady characters who are hovering outside your gates have ways and means to access text messages. SMS seems to be getting less and less secure:

  • Lock-screen notifications often allow a sneak-peek at a passcode
  • The phone may have the password-protected app and the SMS passcode on a single device, which makes MFA less effective
  • SMS messages can be intercepted
  • SIM cards and phones can be stolen or hacked

These SMS codes are made more effective by the fact that they time-out after only a few seconds. And they are a successful additional security protocol, in that they do increase your resistance to attack. So, SMS passcodes will prevent many attackers from breaching your systems.

There are alternatives to SMS passcodes, of course. There are authenticator apps, like Microsoft Authenticator, which protect your Office 365 logins. Authenticator apps offer an even higher level of protection. Basically, a pre-installed mobile app sends the user an approval notification when logging into a service (which the user can approve via the app, after unlocking their device, of course).

As authenticator apps grow in popularity, you could end up with multiple apps on your devices. In this case, it might be worth investigating premium authenticator apps – like Duo Mobile. Duo has the advantage of managing multiple authentications within one container. Many authenticator apps are becoming available, but we would strongly recommend using only high-quality enterprise-level apps to protect your logins.

Which style of MFA you should choose completely depends on your own situation. But one thing is guaranteed – some form of MFA is better than no MFA at all. So please don’t let the increasing volume of evidence for SMS insecurity put you off!

Remember: Microsoft say that:
MFA blocks 99.9% of automated attacks 99.9%