Forum Discussion
Which is better authentication method for MFA - App or SMS?
Should I use app based or phone SMS based MFA for my customers? Recently few organisations are asking to take out phone based authentication. Any specific reasons for same.
App based MFA is recommend currently phone-based MFA is the option if you have nothing and there are multiple reasons few outlined below are
1. SIM cloning is evolving
2. SMS and voice calls are not encrypted. Instead, they’re transmitted in clear text, making them easier to intercept. D
SMS codes are vulnerable to phishing.
Phone company employees can be fooled. Attackers can trick an employee into transferring a phone number to the attacker’s SIM card, meaning the security codes get sent to them instead of you.SMS and phone call can be intercepted by your mobile phone network provider. By design, because phone number assignments are controlled by your mobile network provider. What this means is that you're subject to any vulnerabilities in the phones network provider, which you have no control of.
Outages. Authentication apps and security keys work offline. SMS needs the phone service to be available to work and sometimes the phone system can go down when the internet does not.
SMS isn’t likely to get more secure. As multi-factor authentication becomes more common, more attackers will target it. Attackers usually target the weakest link in security and with MFA, SMS is the weakest link.
- Chandrasekhar_AryaSteel Contributor
App based MFA is recommend currently phone-based MFA is the option if you have nothing and there are multiple reasons few outlined below are
1. SIM cloning is evolving
2. SMS and voice calls are not encrypted. Instead, they’re transmitted in clear text, making them easier to intercept. D
SMS codes are vulnerable to phishing.
Phone company employees can be fooled. Attackers can trick an employee into transferring a phone number to the attacker’s SIM card, meaning the security codes get sent to them instead of you.SMS and phone call can be intercepted by your mobile phone network provider. By design, because phone number assignments are controlled by your mobile network provider. What this means is that you're subject to any vulnerabilities in the phones network provider, which you have no control of.
Outages. Authentication apps and security keys work offline. SMS needs the phone service to be available to work and sometimes the phone system can go down when the internet does not.
SMS isn’t likely to get more secure. As multi-factor authentication becomes more common, more attackers will target it. Attackers usually target the weakest link in security and with MFA, SMS is the weakest link.