Online security has undergone constant change over the last few years. Extremely sensitive activities such as financial transactions and filing of taxes cannot be done with the traditional security layers of a username and password. This now requires an additional layer of security in the form of authentication via email and added security questions. This extra security ensures that all stored data is encrypted and secure. However, just like security professionals are finding innovative methods for securing data, cybercriminals are also getting creative with practices such as social engineering and phishing.
Since the advent of smartphones, the usage of mobile phones has increased. Now, billions of people have access to a smartphone. As a result, enterprises have set up SMS as another layer of security and actually made it a default second-factor authentication (2FA). Usernames and passwords combined with SMS through 2FA have worked in cutting down on attacks and breaches.
No matter how old and traditional the SMS method seems, it is likely to remain as long as the mobile technology is in place. SMS can also be used for multiple purposes such as getting alerts about the arrival of a cab or Uber ride, delivery notifications of your Amazon order, and other day-to-day alerts. According to Statista, only 37% of the global population will be using smartphones by 2020. For the rest, 2FA may remain the best option.
However, the sad part is that this is still the least secure method of authentication. There have been instances of attackers taking control of bank accounts by convincing telecom companies to move account holders’ phone numbers to a new SIM card. This allowed them the opportunity to gain access to the 2FA SMS notifications and siphon away all the money in these accounts. There have also been instances where contents of an SMS have been exposed through wireless web portals.
Enterprises must learn to balance the risks associated with 2FA authentication while providing a smooth experience to users. NISA (The National Institute of Standards and Technology) has suggested that SMS should be the last choice of 2FA, only after the other forms of authentication have been attempted.
Even though there has been huge market penetration of smartphones, users who have phones with limited capabilities still require some sort of protection. However, while SMS shouldn’t be the default authentication, it can be offered as an alternate authentication for those who don’t have any other choice. If there are better choices than SMS 2FA, then businesses should go for them whenever possible.
Download Whitepaper on 2-FA for Identity Management With SMS