Common issues with using SMS OTP as an MFA factor While SMS OTP is easy to deploy because everyone has a phone, it’s not truly a secure way to access accounts. While they have since softened their stance to an extent, it’s still clear that SMS was not designed with the intent to securely transport data. In 2016, NIST started indicating that it no longer considered SMS secure, and recommended deprecating this option as a method of MFA. SMS OTP seems like a quick way to get up and running with MFA, but is it really the best option? In recent years, mobile security threats and data breaches have proven that unfortunately, SMS OTP as an MFA factor, similar to the password, is past its glory days. Or, log into Facebook from a new location - receive a text to verify it was really you attempting to log in.Įasy, familiar, and thought to be “secure enough.” This has also extended to the workplace for companies that have implemented MFA - log into your work email, Slack or other apps, and just provide an SMS OTP to complete the login. That’s why, for years now, SMS has also been considered a great option as a second form of identity verification - commonly known as SMS OTP (one time passcode).įor example - log into your banking app on a new device, receive a text sent to confirm your identity. We’re all familiar with SMS - if you have ever received a text message, you know how easy a form of communication it is. In this post, I’ll go into more detail around issues with SMS as a factor, and some alternative methods that I’d recommend. In my previous post, I talked about how the COVID19 pandemic has impacted how our customers use MFA - more specifically how SMS authentication is on the rise as organizations look to rapidly roll out a quick and easy secondary auth method in response to the need to embrace remote work.
0 Comments
Leave a Reply. |