In the world that we live in today, simply using a password is not enough.  Although it has been the most widely used mechanism for authentication, it suffers from many flaws that the Cyberattacker can take advantage of quite easily.  Thus, many businesses today are now requiring their employees and contractors to submit through a procedure called Two Factor Authentication, also known as 2FA.

This is where you confirm identity through at least two means, such as a password, and something that is stronger, such as Smart Card, an RSA Token, or even a One Time Password (OTP). With the latter, this is often sent via a text message (also known as SMS) or authenticator app on your smartphone.

So now the question becomes, which is method is the more robust to use?  We will further explore this.

The SMS

This is an acronym that stands for “Short Message Service”.  We use this every day to communicate with family, friends, and coworkers.  In most cases, if you are attempting to log into your company network, the first step in the authentication process is the password.

Then the next step is that you will be sent an OTP (One Time Password)  as a text message.  This is usually a numerical value, and it only lasts for a few minutes.  Once you get it, you enter it into your company portal, and then you are allowed to gain access to the shared resources.

But, using this method has its security weaknesses because SMS text messages are not private or secure5:

  • SMS does not support end-to-end encryption.
  • Anyone can read received texts.
  • Intercepting messages is possible.
  • SMS messages can be viewed by mobile carriers, governments, and hackers.
  • SMS authentication is not entirely secure.
  • Hackers can use the The Man in The Middle Attack:

This is a kind of security breach in which the Cyberattacker can intercept the messages that the servers are transmitting to you, especially over your smartphone.  If they have already hijacked your password, all they need to do is intercept this OTP, and they can gain almost instant access to the IT/Network Infrastructure of the business.

  • The SIM Swap:

In this kind of attack, the Cyberattacker tries to launch an impersonation attack against the victim and convince the wireless carrier that they are that person.  While there are safeguards now put into place, this kind of attack still happens quite frequently today.  If the Cyberattacker is successful here, the wireless carrier will then activate a brand-new SIM card that uses the victim’s phone number.

Because of these two major vulnerabilities, as well as SMS Phishing (this is where you a get a Phishing based message as an SMS message rather than in an email), the more favored technique to get the second means of authentication is through the authenticator app.

The Authenticator App

This is a mobile app that you can download onto your smartphone.  The most popular ones are available from Microsoft and Google.  There are several key advantages to using the authenticator app, which are as follows:

  • The OTP is created locally from the app, it is not transmitted as an SMS message. For example, if you are trying to access your company email, the first step in the authentication process is to enter in your username and password.  Once you have done this, it will then send a trigger to the authenticator app to create that OTP directly from your smartphone.
  • They will also display a countdown timer, which shows how much longer you have until the OTP expires. If this does happen, you will then have to login all over again.
  • Most of the authenticator apps (such as the one from Microsoft) require you to first go through the authentication process for your smartphone, before you will be allowed to enter in the OTP that was generated. For instance, with the iPhone, you will have to go through the FaceID or the TouchID.  But if you do not have these, your iPhone will then require you to enter in your passcode.  Thus, this adds an extra layer of security.
  • Also, the authenticator app can create the OTP offline, meaning you do not have to be connected to a wireless network, which is the case of receiving the OPT via the SMS message.

Conclusions

Thus, using an authenticator app is much more secure than using an SMS message.  To download the Microsoft authenticator app, access the link below:

Tutorial – Set up and use Microsoft Authenticator with VerifiedID – Microsoft Entra Verified ID | Microsoft Learn

The first image below shows how you can access the Microsoft authenticator app from the Apple Store.

(SOURCE:  1).

The second image below illustrates how to install onto your iPhone:

 

(SOURCE:  1).

If you need further help with this, contact us today.

Sources