Syniverse, a company that routes text messages, disclosed in an SEC filing last week that they were the target of a breach which went undetected for five years. During that time, attackers most likely had access to messages sent to and from customers of some of the world's largest telecommunication companies, including Verizon, AT&T, and T-Mobile. That Syniverse was a likely target hardly comes as a surprise, considering how many authentication codes are delivered by text message every day.
As far back as 2016, NIST Digital Identity Guidelines noted, "using SMS is deprecated, and will no longer be allowed in future releases of this guidance," due to the fact that SMS messages are easy to intercept.
- SMS codes are not encrypted, making them vulnerable to intercept by radios, FEMTO Cells, and SS7 attacks.
- SMS codes are vulnerable to SIM swap attacks, where wireless providers are tricked into transfering SIM cards to attacker phones.
- Mobile malware can capture SMS codes and send them to attackers.
Despite this, many organizations, including financial institutions, medical providers, and government agencies, still rely on SMS for MFA. While most people agree that SMS for MFA is better than nothing, authenticator apps are preferred. So are hardware based cryptographic authentication devices, some of which can provide NIST level 3 assurance and support FIDO protocols.
The key to any successful authentication program is finding the balance to make security easier and safer at the same time. Using a risk-based approach, security teams can create authentication systems which combine a variety of options for MFA depending on the type of access required. For example, users might employ an authenticator app for initial login, and later present a hardware based device to for administrative elevation, access to highly sensitive data, or to perform large financial transactions. User experience can be balanced with security by leveraging biometrics and SSO where appropriate, and by using adaptive MFA, which selects additional authentication factors based on user behavior analysis and activity.