Businesses are increasingly relying on technology and online services to store and manage their sensitive information. However, with the increased amount of cybercrime, businesses face a constant threat to their data security. Cybercriminals are constantly developing new and sophisticated methods to gain unauthorised access to business systems to steal sensitive data. In this context, using strong authentication is a must for controlling access to business-critical information. At Admincontrol two out of three customers have adopted this crucial security measure, and we urge others to follow suit. Remember, the strength of your authentication process can be the difference between secure data and a serious breach.
Strong authentication involves the use of multiple factors to verify the identity of a user before granting access to sensitive data. This includes something the user knows, such as a password or security code, something the user has, such as a security token or smart card, and something the user is, such as a biometric identifier like a fingerprint or facial recognition. This is what we call multi-factor authentication (MFA) or two-factor authentication (2FA).
SMS-based 2FA has several drawbacks
SMS-based two-factor authentication (SMS 2FA) is a commonly used method for adding an extra layer of security to the authentication process. With SMS-based 2FA, the user receives a one-time code via a text message to their registered mobile phone number. The user then enters this code as a second authentication factor to gain access to the system.
While SMS-based 2FA is better than no 2FA at all, it has several drawbacks. Firstly, SMS-based 2FA is vulnerable to SIM swapping attacks, where a hacker can take control of a user's phone number by convincing the phone company to transfer the number to a new SIM card. Once the hacker has taken control of the phone number, they can receive SMS-based 2FA codes and gain unauthorised access to the user's accounts.
Authenticator apps are less susceptible to being intercepted. SMS is sent unencrypted over the phone network. It is a known fact that the phone networks have a number of security weaknesses that a hacker can take advantage of in order to intercept the 2FA code. This is not the case for codes created by an authenticator app.
There may also be delivery issues with SMS messages, making it hard for the user to complete the authentication process.
An authenticator app makes you more secure
In contrast, an authenticator app, such as Google authenticator or Microsoft authenticator, is a much more secure form of 2FA. An authenticator app generates one-time codes that are only valid for a short time and can only be used once. The authenticator app stores the secret key used to generate these codes on the user's device, adding an extra layer of security.
Also, authenticator apps are not vulnerable to SIM swapping attacks as they do not rely on a phone number for authentication. This means that even if a hacker gains control of the user's phone number, they won't be able to access the authenticator app.
Strong authentication has also become a compliance requirement. The GDPR specifically states that data controllers and processors “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
An authenticator app is therefore a much more secure form of 2FA than SMS-based 2FA. By using an authenticator app, businesses can greatly increase the security of their authentication process and reduce the risk of unauthorized access to sensitive information.
Authentication has become a compliance requirement
Strong authentication has also become a compliance requirement. The GDPR specifically states that data controllers and processors “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
Phishing and the use of stolen credentials are the two most common methods used by cyber criminals to gain access to systems, according to the 2022 data breach investigation report (3). Thus, it entails a high risk that businesses must protect themselves against.
In August 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) stated that not using two-factor authentication is considered bad security practice (1). As early as 2017, the European Union Agency for Cybersecurity (ENISA), which is the European equivalent to the CISA, provided similar guidance on the same topic (2).
Therefore, in the current threat landscape, the use of strong authentication is a must for accessing business-critical information.
By switching to authenticator apps for strong authentication, businesses can greatly reduce the risk of unauthorized access, protect against phishing attacks, and comply with the regulatory requirements.
Further reading:
Would you like to know more? See our articles on 2FA in general:
https://blog.admincontrol.com/en/why-is-two-factor-authentication-2fa-so-important
How to configure authenticator app in Admincontrol:
Read the description on how users can setup authenticator app on the help centre HERE.
