Search

Why Authenticator Apps Trump Cell Phones for 2FA

November 22, 2023
Blog

4 min read

Most people rely heavily on passwords, but as cybersecurity threats evolve, passwords alone can’t offer all the protection we need. That’s where Multi-Factor Authentication (MFA) comes in, adding an additional layer of security. However, not all MFA methods are created equal. To protect your network and data, you want to use cell phone apps versus text messages. Some methods are more secure than others.

In this article, we will review how to keep your accounts safe with the help of your managed IT provider.

 

The Superiority of Authenticator Apps

While SMS 2FA is vulnerable, authenticator apps like Google Authenticator, Microsoft Authenticator, or Duo provide a more secure alternative. Here’s why:

  1. No SMS Vulnerability: Authenticator apps generate codes locally on the device. There’s no message sent over a network, eliminating the risk of interception. No matter what devices an attacker has, they won’t be able to grab traffic out of the air, because the messages are sent directly to your personal device.
  2. Time-limited Codes: These apps produce codes that are only valid for a short duration. Even if somehow compromised, they become useless in a matter of sixty seconds. This code revolves much faster than codes sent as text messages or sent over email.
  3. Bound to the Device: The codes are tied to the specific device where the app is installed. Even if someone clones your SIM, they won’t have access to the codes generated on your original device. When you change phones, the codes will need to be migrated over, but many times this is a trivial process that can be done with help from your cell phone carrier.

 

The Limitations of Cell Phones for 2FA

At a glance, using a cell phone for 2FA might seem like a convenient option for most end users. It’s a device most of us have on hand all the time. Many services offer SMS-based 2FA, where a code is sent to your phone via text when you try to log in. But this method comes with significant vulnerabilities:

  1. SIM Cloning Threat: One of the primary threats is SIM card cloning. If attackers gain access to your phone, they can copy your SIM card, giving them the ability to receive your text messages, including 2FA codes. They will also be able to read all of your private data such as text messages from your bank or your spouse. This isn’t a sophisticated attack; it’s relatively easy to do, making it a favorite among cybercriminals and ransomware gangs.
  2. Account Recovery Weakness: Consider this scenario: an attacker has cloned your SIM card. They then go to your email provider’s website, claim to have forgotten the password, and request a reset. The service sends a validation code via SMS text message, which the attacker now receives. Once they reset your email password, they have control. Given that our email accounts are often the recovery point for other online accounts, this could set off a domino effect of account compromises. In short order, an attacker could have access to almost all of your accounts by just compromising one.
  3. SMS Interception: Beyond cloning, there are other ways to intercept SMS messages, such as exploiting vulnerabilities in the cellular network. Traffic going through air can be captured and decoded. Attackers can emulate cell phone towers and can become provider that your cell phone uses for messaging. These devices are not large and can fit in a backpack. These methods don’t even require physical access to the target’s phone. With this in mind, we need better ways to secure our email account as well as our other online accounts.

 

Hard Tokens

Physical security tokens are another way to make sure your codes are not getting leaked for MFA when you authenticate. These plug into your machine similar to a USB device to generate codes and they are an even stronger version of MFA. Yubikeys are a popular solution and even Google has entered the market now. As long as you have your hard token device on you, it can be used to get you into your computer, email account, or other online accounts.

This solution is not as popular since you need yet another device that you carry everywhere. It is a good solution for those who realize spyware can be placed on your phone. When your phone is compromised, those codes going to the authenticator app could also be going to an attacker. If you are curious about this solution, contact a security expert with Novatech.

 

Protecting Your Digital Footprint with Novatech

The vulnerabilities of SMS-based 2FA are evident, emphasizing the need for more secure alternatives. For those looking to bolster their digital defenses, Novatech’s expertise in cybersecurity can guide you. We can help you implement robust MFA solutions, ensuring that your digital assets remain uncompromised.

Prioritizing the right 2FA method today can save you from potential breaches tomorrow. Don’t leave your security to chance; choose the method that best safeguards your digital life.

Contact Novatech’s security experts for more insights and tailored solutions to save you money in the long run.

 

Written By: Editorial Team