2FA SMS Is No Longer Secure… Here’s What You Need To Know

Reading time:3 mins

Recently, several of the world’s top professional poker players revealed that they have been victims of a hacker or group of hackers who took over some of their non-poker online accounts. The security weakness that allowed this to happen was one most people wouldn’t expect: two-factor authentication (2FA). 2FA insecurity remains an unguarded area of opportunity access that hackers can exploit.

One of the most common forms of 2FA is SMS text messaging using a person’s mobile phone. It makes sense. Almost everybody has a cell phone – smart or otherwise – and can easily retrieve a pin and password via SMS technology. The first factor of site authentication is a login; the second factor is a text containing a code that must be entered to verify that the phone belonging to the registered account holder has responded.

However, it’s not secure. In fact, in the latest draft of their Digital Authentication Guideline, the National Institute of Standards and Technology (NIST) noted that “using SMS is no longer recommended as a credible two-factor authentication system because of its many insecurities.” In 2016, the government called for an end to 2FA insecurity by encouraging companies to make the transition as soon as possible.

In the case of the poker players, they requested sensitive personal information that was provided to them via SMS text messaging. This ultimately allowed someone to take over several online accounts.

Ultimately the weak link is the cell phone company. Whether it’s ghost towersnegligent customer service representatives, a hacked phone, or a mass data breach it’s a known fact that cell phones are often a major source of personal identity theft and fraud. It’s also important to note that while this appears to be an isolated incident, it’s not. This time it was four professional poker players, but there’s no telling how many others could have been affected by this same breach, OR how many people are plagued by similar issues around the world each day for that matter.

The second method of beating 2FA insecurity is the use of questions as a second identifying factor. While most sophisticated companies have abandoned using mother’s maiden name as a question, city of birth is often still used. Any public database can supply that information easily. For hackers looking to get in to an account, it’s an easy get. For people closer to the individual – like a significant other – who are even more likely to attempt access, it’s a no-brainer. Social engineering can be used for other common questions such as favorite movie or food. A significant other will probably be able to provide credible answers, even the name of one’s first pet.

The writing is on the wall or in this case your phone. 2FA authentication is out, multifactor authentication (MFA) is in.

Multi-factor authentication is the most secure method of identifying someone. It requires any two of these factors:

  • Something you are (biometric)
  • Something you know (account information, personal information, password and login knowledge, etc)
  • Something you have (device, fob, etc.)

BioSig-ID uses something you know, and something you are. Something you know is a four character password. Something you are is an unforgeable way that you write. It’s distinct, like no one else.

It’s the multi-factor solution networks need to keep personal identity safe. Using our revolutionary MFA biometric solution BioTect-ID, we can lock down a device, authenticate users in seconds and in the case of an attempted breach, revoke access. Cloud-based identity protection at your fingertips:

  • BioTect-ID (SKSA) now locks access to devices
  • BioSig-ID (SKSA) locks access to web applications

If you worry about the security of your customers, imagine only biometrically identified users can login to your system. And they can even reset their password. BioMetric Signature ID has proven id authentication with over 10 million uses in 95 countries. It’s cloud-based identity protection without software downloads or additional costly hardware. SMS alone cannot do that.