Using SMS for two-factor authentication is extremely flawed, and companies should consider alternative approaches:
In the recent cryptocurrency thefts, it could be argued that SMS authentication became more of an attack vector than a security measure.
How do we defend our information against this latest method – and broader authentication fraud? Wouldn’t it make more sense if we could make the authentication process more intelligent and aware of risk? One way forward is to use push notifications to tie your identity to a device rather than to your phone number.
Modern solutions handle onboarding and offboarding users, access certifications, and separation of duties to help organizations maintain compliance with regulations such as GDPR and PSD2. Companies that take a hard look at their risk factors typically land on the strongest possible solution: multifactor authentication.
The user will provide a PIN, password, or fingerprint to log in to a mobile banking app, and if the system detects any additional risk factors, other forms of authentication may be required.
All of these mobile security improvements point to using the device itself for authentication, and not an easily transferrable phone number or a message that can be intercepted by mobile malware.
Every layer of defense counts – but as shown by these phone hijacking cases, authentication measures only work if they’re not the weak link.
Sooner rather than later, companies should adopt a risk-based approach that uses multifactor authentication, taking into account location, behavior analytics, and numerous other indicators of identity.