The FBI and CISA recently communicated to the industry about the dangers of using SMS messaging due to recent breaches of telecom providers by Chinese threat actors.
Consequently, one of the more frequent questions we get is around the use of 2-factor authentication methods and what is “best”. The answer to that question is nuanced and is really a balance of a number of factors. In this article, we will detail the most common methods with pros/cons of each.
Two-factor authentication (2FA) enhances security by requiring two separate methods to verify a user’s identity. These methods typically fall into three categories:
1. Something You Know (e.g., password, PIN)
2. Something You Have (e.g., phone, hardware token)
3. Something You Are (e.g., fingerprint, face recognition)
Common Methods of 2FA
SMS-Based Authentication
How It Works: A code is sent via text to your registered phone number.
Pros:
- Easy to set up and use.
- No additional app or device needed.
Cons:
- Vulnerable to SIM swapping and phishing attacks.
- Relies on cellular network availability.
Authenticator Apps (TOTP)
How It Works: Apps like Google Authenticator or Authy generate time-sensitive codes.
Pros:
- More secure than SMS.
- Works offline.
Cons:
- Requires a smartphone.
- Access can be lost if the app or device is inaccessible (backup codes recommended).
Push Notifications
How It Works: A notification is sent to an app, requiring you to approve or deny the login attempt.
Pros:
- Convenient and fast.
- Prevents phishing since you confirm directly in the app.
Cons:
- Requires internet access.
- Relies on the app or service provider’s uptime.
Hardware Tokens
How It Works: A physical device, like a YubiKey, generates or stores authentication codes.
Pros:
- Extremely secure and phishing-resistant.
- No reliance on connectivity or apps.
Cons:
- Can be lost, stolen, or damaged.
- Requires purchasing a device.
Biometric Authentication
How It Works: Uses fingerprints, facial recognition, or retinal scans for authentication.
Pros:
- Convenient and quick.
- Difficult to replicate or steal.
Cons:
- Privacy concerns (e.g., biometric data storage).
- May fail with physical changes (e.g., injury).
Email-Based Authentication
How It Works: A code or link is sent to your registered email.
Pros:
- Familiar and easy to use.
- No additional device needed.
Cons:
- Vulnerable if email account is compromised.
- Slower than other methods.
Backup Codes (one-time passwords)
How It Works: A set of one-time-use codes provided during setup.
Pros:
- Useful if primary 2FA methods are unavailable.
Cons:
- Must be securely stored and can be lost.
Comparison Table:
|
Method |
Pros |
Cons |
|
SMS |
Easy to use, widely supported |
Vulnerable to SIM swapping, requires cell service |
|
Authenticator Apps |
Secure, works offline |
Requires smartphone, access can be lost |
|
Push Notifications |
Convenient, phishing-resistant |
Internet required, depends on provider |
|
Hardware Tokens |
Very secure, phishing-resistant |
Can be lost or damaged, additional cost |
|
Biometrics |
Fast, difficult to replicate |
Privacy concerns, physical changes may fail |
|
|
Familiar, no extra devices needed |
Slower, insecure if email is compromised |
|
Backup Codes |
Reliable fallback |
Must be securely stored, limited usability |
What About SALT TYPHOON and the FBI/CISA Recommendations?
How does this all fit into the recent FBI/CISA communication about SMS being insecure?
The basic answer to this is that “SMS is an unencrypted communication method” and thus, anyone that can access these communications “in-flight” could read them.
In the SALT TYPHOON case, Chinese threat actors hacked into telecom firms and captured call and text data en-masse, which, due to SMS not being an encrypted communication method, means that all of the stolen text data was in plain-text (not encrypted text) and readable.
In a general sense, you, as both an individual as well as an organization, should be looking to move away from SMS as a communication and authentication method and moving to a more secure and resilient method. This is not new and has been the recommendation of the security industry for some time now.
While this may seem simple at first glance, it is often a balance of user acceptance, usability without significant business impact and cost of technology from a business perspective, and security needs, threat model and targeting of industry from a threat perspective.
The detail given in this article should give you a start in evaluating the best method for your use case.
