Federal agencies are warning against the continued use of SMS-based two-factor authentication (2FA) on smartphones, citing multiple security vulnerabilities. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories highlighting specific risks and recommending alternative authentication methods, marking a significant shift toward more secure authentication protocols.
The agencies identify several key vulnerabilities in SMS-based 2FA systems. These include the potential interception of messages, which are transmitted in clear text, making them susceptible to capture by attackers using specialized tools. SIM swapping attacks represent another significant threat, where criminals convince mobile carriers to transfer a victim’s phone number to a new SIM card, enabling them to receive authentication messages intended for the legitimate user.
Technical vulnerabilities extend to the underlying telecommunications infrastructure, particularly the Signaling System 7 (SS7) protocol, which can be exploited to redirect SMS messages. Additionally, phishing attacks can be used to trick users into revealing their authentication codes, while network outages can prevent legitimate users from accessing their accounts.
“While SMS-based 2FA adds a layer of security, it is vulnerable to phishing attacks and network outages. It is imperative to adopt secure communication practices and transition from SMS to encrypted messaging platforms and more secure authentication methods,” the FBI and CISA state.
As alternatives, the agencies recommend implementing more robust security measures, including the use of encrypted messaging applications such as Signal and WhatsApp, which provide end-to-end encryption. They also advocate for authentication apps or hardware tokens as more secure alternatives to SMS-based 2FA. FIDO authentication standards, supported by major technology companies including Apple, Google, and Microsoft, represent a particularly promising alternative that offers enhanced security against phishing attacks.
The warnings come amid increasing exploitation of unencrypted SMS, MMS, and RCS communications by threat actors, including state-sponsored groups. These actors have demonstrated the ability to compromise telecom infrastructure through vulnerabilities in protocols such as SS7, Diameter, and RCS, enabling the interception of metadata, call records, and communication streams.
To enhance security, the agencies recommend a multi-layered approach combining encrypted platforms with multi-factor authentication (MFA) to protect against unauthorized access and SIM-swapping attacks. The recommendation signals a move away from traditional SMS-based methods toward more sophisticated security protocols. Major platforms are already moving in this direction, with Microsoft announcing plans to implement native passkey support in its Authenticator app by 2025, offering users a more secure, phishing-resistant authentication option.
Sources: Seton Hall University, LCG Discovery, Freemindtronic, NBC Los Angeles
Follow Us