Businesses are increasingly relying on technology and online services to store and manage their sensitive information. However, with the increased amount of cybercrime, businesses face a constant threat to their data security. Cybercriminals are constantly developing new and sophisticated methods to gain unauthorized access to business systems to steal sensitive data. In this context, using strong authentication is a must for controlling access to business-critical information.
Strong authentication involves the use of multiple factors to verify the identity of a user before granting access to sensitive data. This includes something the user knows, such as a password or security code, something the user has, such as a security token or smart card, and something the user is, such as a biometric identifier like a fingerprint or facial recognition. This is what we call Multi-factor authentication (MFA) or Two-factor authentication (2FA).
SMS-based 2FA has several drawbacks
SMS-based two-factor authentication (SMS 2FA) is a commonly used method for adding an extra layer of security to the authentication process. With SMS-based 2FA, the user receives a one-time code via a text message to their registered mobile phone number. The user then enters this code as a second authentication factor to gain access to the system.
While SMS-based 2FA is better than no 2FA at all, it has several drawbacks. Firstly, SMS-based 2FA is vulnerable to SIM swapping attacks, where a hacker can take control of a user's phone number by convincing the phone company to transfer the number to a new SIM card. Once the hacker has taken control of the phone number, they can receive SMS-based 2FA codes and gain unauthorized access to the user's accounts.
Moreover, SMS-based 2FA is susceptible to phishing attacks. A hacker can trick a user into revealing their login credentials and the one-time code by sending them a fake SMS message that appears to come from a legitimate source.
There may also be delivery issues with SMS messages, making it hard for the user to complete the authentication process.
An Authenticator App makes you more secure
In contrast, an Authenticator App, such as Google Authenticator or Microsoft Authenticator, is a much more secure form of 2FA. An Authenticator App generates one-time codes that are only valid for a short time and can only be used once. The Authenticator App stores the secret key used to generate these codes on the user's device, adding an extra layer of security.
Also, Authenticator Apps are not vulnerable to SIM swapping attacks as they do not rely on a phone number for authentication. This means that even if a hacker gains control of the user's phone number, they won't be able to access the Authenticator App.
Finally, Authenticator Apps are not susceptible to phishing attacks. Since the codes are generated in the App, they cannot be intercepted by hackers who are trying to steal the code by sending fake SMS messages.
An Authenticator App is therefore a much more secure form of 2FA than SMS-based 2FA. By using an Authenticator App, businesses can greatly increase the security of their authentication process and reduce the risk of unauthorized access to sensitive information.
Authentication has become a compliance requirement
Strong authentication has also become a compliance requirement. The GDPR specifically states that data controllers and processors “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
Phishing and the use of stolen credentials are the two most common methods used by cyber criminals to gain access to systems, according to the 2022 data breach investigation report (3). Thus, it entails a high risk that businesses must protect themselves against.
In August 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) stated that not using two-factor authentication is considered bad security practice (1). As early as 2017, the European Union Agency for Cybersecurity (ENISA), which is the European equivalent to the CISA, provided similar guidance on the same topic (2).
Therefore, in the current threat landscape, the use of strong authentication is a must for accessing business-critical information.
By switching to Authenticator Apps for strong authentication, businesses can greatly reduce the risk of unauthorized access, protect against phishing attacks, and comply with the regulatory requirements.
Would you like to know more? See our articles on 2FA in general:
How to configure Authenticator App in Admincontrol:Read the description on how users can setup Authenticator App on the help centre HERE.