Serious about enterprise security? It might be time to ditch SMS as your Multi-factor Authentication (MFA) delivery method.
We’ll get to the “why” in a moment. But first, let’s talk authentication.
MFA is an attractive tool for many enterprises, for obvious reasons. By requiring at least two steps to verify a user’s identity, MFA offers additional security without placing too much of a burden on users.
Ideally, those steps are something only the user has access to. The steps can involve something the user knows, or something the user has, or even something the user is.
With at least one extra step involved, the process is, in theory, much more secure. Even if a password is lost or stolen, MFA is supposed to ensure that the right people have the right access to your network.
For even more security, companies can also include the concept of trusted devices. This means users can log in only from computers or mobile devices that have been pre-verified as belonging to the user associated with the login credentials and MFA in question. When combined, this “trusted triangle” — username/password, MFA, and a trusted device — is almost impenetrable.
As noted above, employing an MFA solution heightens security without making the login process unnecessarily inconvenient for users. In fact, a delivery method like SMS (which stands for Short Message Service, if you’ve ever wondered) can be downright convenient. After all, this delivery method requires the user to enter only a simple four- or six-digit code sent straight to their smartphone as a text message.
But that convenience is also the problem. SMS is extremely vulnerable to security breaches. Consider this recent report from Tech Crunch, which we’ve excerpted below:

This story illustrates one of the big problems with SMS-based MFA: It’s simply not secure. In this case, anyone who knew where to look could find a huge supply of unprotected text messages. No password. No security. Nothing.
It’s not hard to imagine how bad actors could use those texts to hijack accounts in seconds. And with a compromised device at their disposal, criminals can get to work on a number of shady activities. As Ars Technica notes:

So, why use SMS at all? As noted above, convenience is the biggest factor. Nearly everyone has a smartphone these days, and even “dumb” mobile phones can accept text messages. But the reality is that SMS, like a complicated password, isn’t as secure as it appears. There are plenty of other options that can tighten your security and help you avoid unwanted headlines.
One alternative to SMS is a mobile authenticator. This solution is much more secure and offers multiple ways to do MFA. For instance, you could launch the app and enter the code it generates. Or you could receive a push notification on your smartphone and approve a login attempt with one touch.
Every MFA delivery method has its pros and cons, of course. For many IT directors, knowing which solution is best can be difficult and even intimidating. Fortunately, ICSynergy specializes in just this sort of thing.
With decades of combined experience, our seasoned pros provide industry-leading Advisory Services to companies of all sizes and situations. We work on a case-by-case basis to ensure you have the solution that best fits your IAM needs.
If you’re thinking about replacing SMS as your MFA delivery method (or if you have any other IAM challenge), contact ICSynergy today. We’ll help you identify the best solution, and show you how to roll it out at your organization.