2FA/MFA: Risks & Usability

Why SMS-based MFA is Still A Good Option for Most People

A lot of attention has been focused on the problems with receiving MFA* codes via text messages (SMS). In short, these codes can be intercepted, enabling hackers to get into your account. Because of this, many in the security industry are recommending that people stop receiving these codes via SMS and use authenticator apps or physical keys (e.g., YubiKey).

While abandoning SMS is the more technically secure option, it’s not usually a user-friendly option for the majority of people. When looking at the risks and usability factors involved, SMS-based MFA remains a good option for most people to use. From the perspective of a typical person, here’s why:

Remember, this is from the perspective of a typical (non-technical) person

YubiKey — FIPS, a Yubico product

While receiving MFA codes via SMS does have more vulnerabilities that a hacker can exploit than other MFA options, it is the most usable & budget-friendly way to use MFA. Combined with a good password/passphrase, it adds a layer of security that makes ‘hacking’ into someone’s account far more time-consuming and difficult than in the past.

Moving on from personal situations to organization. If you’re looking at MFA options for your organization, it’s a good idea to not use SMS. The risk of your employees being targeted in their work lives is far greater than in personal, non-work situations. This is because employees are often targets of phishing attacks, and authenticator apps or security keys will do a much better job mitigating at those types of targeted attacks than SMS (security keys are actually the best at preventing phishing.

For example, in 2017 Google required all of its 85,000 employees use security keys (and get rid of SMS- & authenticator-based codes). Since then, Google has had zero (0) successful phishing attacks. That’s a pretty good, cost-saving investment (e.g., spend $2,500 — 5,000 on security keys vs. the costs of getting phished)

Google Authenticator App (Android)

A couple of things to remember:

1. In order to hack into an MFA-enabled account, a user has to obtain/guess the password and MFA code
2. Getting an MFA code usually requires a targeted attack (as opposed to mass-guessing passwords)
3. If you’re at risk of being targeted (e.g., journalist or public figure), SMS-based MFA is not a good option for you.

*MFA (or 2FA): To those who aren’t familiar with these terms, they stand for 2-Factor Authentication & Multi-Factor Authentication. This means that when you try to log in, you have to enter your password plus another code. This code usually comes through an authenticator app (e.g., Google Authenticator or Duo), text message (SMS) or external key (e.g., YubiKey).

[Disclaimer: I am not affiliated with any products/companies mentioned in this post. This post should not be considered as legal nor consultative advice. These are my opinions only.]