FBI and CISA Warn Against SMS-Based Two-Factor Authentication Following Security Breaches

Federal agencies are warning about security vulnerabilities in SMS-based two-factor authentication (2FA) methods following recent cyberattacks that have exposed weaknesses in these systems. The FBI has specifically cautioned Americans about the risks of using text messages for two-factor authentication, building on previous joint advisories with CISA about SMS vulnerabilities.

A significant incident known as the “Salt Typhoon” cyberattack, attributed to Chinese espionage efforts, demonstrated how attackers could exploit SMS-based authentication vulnerabilities. The attack targeted U.S. internet service provider systems used by law enforcement for court-authorized wiretapping under CALEA requirements. Attackers successfully intercepted SMS one-time passwords to gain unauthorized system access, prompting new security guidelines from the FBI and NSA.

Cybercriminals employ multiple techniques to compromise SMS authentication, including SIM swapping, where attackers convince mobile carriers to transfer phone numbers to their control; exploiting SS7 protocol vulnerabilities to redirect text messages; using malware to access text messages; and conducting man-in-the-middle attacks to intercept cellular network communications. Recent FBI reports indicate that SIM swapping attacks alone cost victims $48 million in 2023.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance directing federal agencies to implement multi-factor authentication for social media accounts. Federal agencies recommend using phishing-resistant authentication methods, such as app-based authenticators or hardware keys, instead of SMS-based 2FA. The guidance supports CISA’s recent mobile security guidelines emphasizing FIDO authentication and the growing adoption of passkeys, which have seen a 550 percent increase in implementation during 2024.

Alternative authentication methods include encrypted messaging applications like Signal or WhatsApp, which provide end-to-end encryption. These solutions offer enhanced security compared to standard SMS authentication. U.S. intelligence agencies have endorsed the use of encrypted messaging apps for sensitive communications, particularly following several high-profile telecom data breaches that have exposed the vulnerabilities in traditional carrier-based messaging systems.

Sources: Alvarez Technology Group, Security Links, YouTube, Keypasco

Partners

FaceTec’s patented, industry-leading 3D Face Verification and Reverification software anchors digital identity, creating a chain of trust from user onboarding to ongoing authentication on all modern smart devices and webcams. FaceTec’s 3D FaceMaps™ finally make trusted, remote identity verification possible. As the only technology backed by a persistent spoof bounty program and NIST/iBeta Certified Liveness Detection, FaceTec is the global standard for 3D Liveness and Face Matching with millions of users on six continents in financial services, border security, transportation, blockchain, e-voting, social networks, online dating and more. www.facetec.com

Oz Forensics is the independent private vendor of robust, technology-based, and AI-powered liveness detection and face-matching solutions founded in 2017 and headquartered in Dubai, UAE. We confirm the security level of our solution by certifying the ISO-30107 Level 1 and 2 standards. https://ozforensics.com/

AuthenticID provides 100% automated identity verification and fraud detection solutions that are leveraged by companies worldwide, including 2 of the top 3 U.S. Banks, 8 out the top 10 wireless providers in North America, and 2 of the 3 credit bureaus. Using proprietary computer vision and machine learning technology, these solutions help companies accurately verify the identity of their users across retail, digital and call center environments for onboarding and ongoing re-authentication events; KYC, IAM, and more. The solutions are easy to integrate and provide customers a large ROI by stopping fraud losses, increasing customer conversion at onboarding, reducing operational costs and allowing quick and cost-effective operational scalability, all while ensuring global privacy regulations are complied with. https://www.authenticid.com/

Founded in 2007, Lakota Software Solutions is an American company with a world-renowned reputation for developing robust biometric software and systems. Our vendor-agnostic products are tailored to ensure compliance with ANSI/NIST-ITL standards and EBTS specifications, facilitate seamless integration with other biometric systems, and optimize accuracy, cost-effectiveness, and scalability. https://lakotasoftware.com/

Identity Week aims to be a significant identity industry catalyst. It’s our mission is to help accelerate the move towards a world where trusted identity solutions enable governments and commercial organisations to provide citizens, employees, customers and consumers with a multitude of opportunities to transact in a seamless, yet secure manner. All the while preventing the efforts of those intent on doing harm. https://identityweek.net/

The Biometric Digital Identity Prism is a market landscape framework designed to help influencers and decision makers understand, innovate, and implement digital identity technologies and solutions. This innovative framework for understanding and evaluating the rapidly evolving biometric digital identity marketplace is the only market model that is truly biometric-centric based on the foundational conviction that in the age of digital transformation the only true, reliable link between humans and their digital data is biometrics. https://www.the-prism-project.com

Related News & Articles

Footer

Follow Us