Ever make an easy decision that impacts you negatively in the long term?

SMS is not much more than security theatrics at its best... at its worse, it is the weakest link in the authentication chain. Sure, it is easy to deploy, and adapt but the benefits end there.

• SMS is not encrypted. SMS messages are sent in clear text, making them vulnerable to interception by attackers, Man in the middle attacks.
• Outages. Authentication apps and security keys work offline. SMS requires phone service and supporting software and services to be available to function.
• SMS is not technically MFA or 2FA. True Multifactor, is something you know (username/ Password*) and something you have... in this case, when it comes to SMS it is not something you have it is something someone sent you to something you may or may not actually have, therefore being the weakest link in the chain. SMS is still better than a security question, as that is just something you know and just a single factor.
• SMS codes are vulnerable to phishing attacks. Hardware tokens such as YubiKey or similar are not vulnerable to this attack but are still more friction than an Authenticator App with Push.
• Phone company employees. Phone company employees could intentionally or through manipulation transfer a phone number to an attacker’s SIM card, meaning the security codes get sent to them instead of you.
• SMS is not free. Many providers pass through the expense of SMS messages to their customers. Why pay for the weakest link?

The only benefit of SMS is easily deployed and adopted, hackers love it when we take the easy route, don’t they? Why not reduce friction and increase security by using the QuickLaunch App with Push notification? No more looking at an SMS message, typing it in and then hopefully getting it right the first time. We commonly see a 20% failure rate with SMS when humans are involved in the transaction. Remove that friction, your users or customers will be happy and secure all at the same time!