In December 2024, the FBI and CISA advised Americans against using SMS codes for multi-factor/two-factor (MFA/2FA) authentication. CISA’s Mobile Communications Best Practice Guidance bluntly recommended: “Do not use SMS as a second factor for authentication. SMS messages are not encrypted–a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.”
This guidance came in response to the recent Salt Typhoon cyber espionage attacks, in which bad actors infiltrated multiple telecom companies and accessed call and data logs for an unknown number of victims.
However, the advice to transition from SMS-based 2FA to stronger forms of authentication long predates this attack. Security experts said it in 2023, 2020, 2018, and as early as 2016, when NIST issued guidance discouraging the use of SMS as an authenticator.
But now, after numerous high-profile MFA bypass attacks, this advice is increasingly urgent, and companies are being forced to reevaluate the role of SMS in their authentication.
Why SMS-based MFA is risky
There are many reasons why SMS one-time passwords (OTPs) are a weak authentication factor. They can be used in many types of hacks, not all of which require the scale and sophistication of the Salt Typhoon attackers.
Other scenarios in which SMS can be compromised include:
- SIM swapping attacks, in which attackers convince a phone provider to give them control over their victim’s number, including access to SMS.
- Smishing, or SMS-phishing attacks, trick users into handing over their information, including OTPs, on fraudulent websites.
- Man-in-the-middle (MitM) attacks let hackers exploit the lack of encryption inherent in SMS and read the content of messages in transit or on a malware-infected device.
Despite its vulnerabilities, SMS-based MFA is still surprisingly common, and for understandable reasons. Most people have mobile phones capable of receiving SMS, even if they don’t have access to more secure forms of authentication, such as biometrics or hardware keys. Until recently, MFA bypass attacks were relatively uncommon. However, this is no longer the case; MFA itself has become more common, and hackers are nothing if not adaptable, so they have predictably learned to target MFA at its weak points.
Now, the longstanding advice to phase out SMS-based MFA has finally become unignorable, and security professionals are searching for alternatives that will improve access controls without breaking the bank or making employees miserable.
How to replace SMS 2FA with more secure authentication factors
As previously mentioned, SMS has been such a popular and durable authentication factor because the technology is so widespread. There is no single substitute that can fully replace it; companies will need to adopt a layered approach for various resources and users.
CISA’s best practices recommend several solutions to create more phishing-resistant MFA. This advice is applicable to any organization, regardless of its security vendors, but is particularly relevant for 1Password customers:
Fast Identity Online (FIDO) authentication. As CISA notes, “FIDO authentication uses the strongest form of MFA and is effective against MFA bypass techniques.” The most secure form of FIDO authentication is hardware keys like Yubico, but it’s not feasible for most organizations to purchase these for any but their most highly-targeted employees. For the rest of your workforce, CISA notes that “passkeys are an acceptable alternative.”
1Password is a longtime champion of passkeys (as well as a board member of the FIDO Alliance) and supports secure storage and sharing of passkeys in the 1Password app.
Non-SMS authenticator codes. One-time codes are popular authentication factors because they offer a low-friction way to verify a user’s identity using a device they already have, but they’re only as secure as the method used to share them. (So, in the case of SMS or email, not very.) Authenticator apps send OTPs securely and without the risk of a hacker impersonating them.
However, the risk of authenticator codes is that they are still phishable – a social engineer can still trick a user into sharing their code. The way to minimize that risk is to automate the exchange of the code as much as possible. 1Password can function as an authenticator and helps to reduce this risk (as well as user friction) by automatically filling in one-time codes for users, enabling an experience that is both seamless and secure.
Password managers. Passwords are nearly always used as a primary – rather than secondary – MFA factor, but strong passwords nevertheless help prevent MFA bypass attacks. Many such attacks rely on a compromised password as the first key to unlock an account, and the SMS code as the second. Fewer compromised passwords mean fewer attacks, period.
CISA specifically calls out password managers, including 1Password, that “automatically alert on weak, reused or leaked passwords.” 1Password Watchtower provides these alerts for users, as well as flagging websites where 2FA is available and not yet enabled.
Another best practice (although not mentioned by CISA) is device-based authentication, in which a unique identifier on a user’s device serves as a factor. This has the security benefits of a hardware key (it’s unphishable because it requires no user interaction whatsoever) plus it doesn’t require an extra piece of hardware for companies to buy or users to keep track of.
1Password Extended Access Management offers this form of authentication as part of 1Password Device Trust, which ensures that only known and secure devices can authenticate to a company’s apps, regardless of whether or not they have a password or OTP.
Strong authentication means end-to-end and top-to-bottom
As discussed, not every employee needs the same level of authentication security. A high-level administrator might merit a hardware key as well as a biometric factor, while an entry-level marketer will be well served by a strong password and an authenticator app. But regardless of a person’s seniority or job title, SMS-based authentication doesn’t belong in the mix at all. Even that entry-level marketer, for instance, might have login credentials for the company’s social media accounts, which could cause devastating damage in the hands of a bad actor. So security measures like password managers and device trust really belong at every level of an organization.
Unfortunately, some of an organization’s most vulnerable accounts often receive the least security. A 2023 report found that “domain administrators are three times more likely to face account probing than regular users,” yet the report “observed numerous administrators with no MFA, weak MFA, and sitting in MFA exclusion groups.” The report’s authors noted the same phenomenon with executives, who are also high-value targets.
The solution to the problem of uneven MFA rollout is twofold. First, security professionals must seriously consider how to reduce friction in any authentication approach they adopt. The more hoops workers have to jump through and the more productivity they lose, the more likely they are to circumvent security measures. Second, organizations must enforce strong MFA by building a culture of security that extends to every user, at every level.
To learn more about how 1Password can help your organization improve its access security, schedule a call today.
Elaine Atwell
Manager, Content
Tweet about this post