MFA - SMS Deprecation

By Brett Hawkins
2 min

Why We Are Phasing Out SMS as a Multi-Factor Authentication (MFA) Method

In today's rapidly evolving cybersecurity landscape, it is crucial to stay ahead of emerging threats and adapt our security measures accordingly. As part of our ongoing commitment to safeguarding your data, we have decided to discontinue the use of SMS as a Multi-Factor Authentication (MFA) method. This decision is driven by the need to address vulnerabilities associated with SMS-based authentication and to ensure that our security practices remain robust against current and future threats.

Understanding the Current Threat Landscape

The cybersecurity threat landscape is constantly changing, with attackers continuously refining their tactics and techniques. Recent trends have shown an increase in sophisticated attacks that exploit weaknesses in SMS-based MFA. These vulnerabilities include:

Lack of Encryption: SMS messages are not encrypted, making them susceptible to interception by malicious actors.

SIM Swapping: Attackers can impersonate victims to convince mobile service providers to transfer the victim's phone number to a SIM card in their possession, allowing them to receive SMS messages intended for the victim.

SS7 Attacks: The outdated Signaling System 7 (SS7) protocol used by telecommunication companies can be exploited to intercept and redirect SMS messages.

Social Engineering: Attackers can use social engineering tactics to trick individuals into divulging confidential information, including SMS authentication codes.

The Need for Stronger Authentication Methods

Given these vulnerabilities, it is clear that SMS-based MFA is no longer sufficient to protect against the sophisticated threats we face today. To enhance our security posture, we are transitioning to more secure authentication methods that provide better protection against these risks. These methods include:

Authenticator Apps: Apps like Microsoft Authenticator generate time-based one-time passwords (TOTPs) that are more secure than SMS codes.

Hardware Tokens: Physical devices such as YubiKeys provide an additional layer of security by requiring physical possession of the token.

Staying Ahead of the Threat Landscape

Our decision to phase out SMS-based MFA is part of a broader strategy to stay ahead of the evolving threat landscape. By adopting more secure authentication methods, we aim to provide you with the highest level of protection for your data. We encourage all users to transition to these new methods to ensure their accounts remain secure.

In conclusion, the discontinuation of SMS as an MFA factor is a necessary step to keep up with current threat landscapes and to safeguard your data against emerging threats. We appreciate your understanding and cooperation as we implement these changes to enhance our security measures.

Next Steps

For assistance setuping an Authenticator App follow the link here: https://ssdmo.atlassian.net/wiki/x/nYDkbg

Hardware tokens can be requested via Helpdesk for those users that are not able to use an authenticator app.

Want to learn more?

There is additional information located in the knowledge center: https://ssdmo.atlassian.net/wiki/x/xAIQHg

Additional Resources

How to meet evolving MFA demands in the current threat landscape

https://cyberhoot.com/blog/top-five-risks-from-sms-based-mfa/

The urgent need to replace SMS-based MFA | 1Password Blog

 

 

Related content