Phone Based MFA is OUT but Better than nothing…

You’ve heard me talk about the importance of account security and making sure you have a strong password.

You’ve also heard me talk about setting up your #2FA or #MFA (Two Factor Authentication aka Multi Factor Authentication)

Don’t be confused about the new guidelines that #Microsoft has recently released.

MFA is still critically important and if you haven’t done so and you want to make sure you account is secure and you won’t get locked out because of a #forgottenpassword you should set it up now (if you need help message the page).

BUT the important thing to note is your MFA codes shouldn’t be sent to your phone anymore there are many reasons for this now.

1. SMS text sent over telephone networks are easily interceptable by would be attackers. (known as a Man-in-The-Middle attack)

2. there are a lot of SMS apps that can copy your text to an attackers hands by associating your number with the app.

3. Phone Cloning – attackers can clone your sim card and receive all text messages and / or phone calls

So although phone based MFA is better than nothing it’s not 100% secure especially now as attackers are finding multiple ways to get the codes.

it doesn’t even have to be an attacker that causes problems with phone based MFA what if you lose your number or change your number and you no longer have access to that number to get the code? you’ve locked yourself out now.

I actually had a customer recently that did just that her facebook got security locked for some reason and she couldn’t reset her password because phone based MFA was set on her registered FB account email and she had stopped using that email long ago and didn’t have access to the phone anymore. so not only could she not get into her facebook to get the special code/link to set her password she couldn’t access the email that facebook was sending the code to.

So what happened? Well I called her old phone number to see if it was still active and when it was I asked the person if they would send me the code luckily they agreed I got the code for the email reset her email password got into her old email account got the link for facebook and finally reset her facebook password.

It was a lot of trouble. but we got it done. hence the importance of keeping your account security updated.

so IF phone based MFA is no longer recommended what do you do? you use an app based Authenticator like #Google Authenticator or the Microsoft Authenticator both are fine apps and will keep your codes and accounts safe.

you can also use a physical USB Key like the Google Titan or a YubiKey.

Those are your two best options now I know it’s a pain to have to look up a code or find your physical USB key when you want to log into your account but isn’t it better than getting hacked or locked out of your account?

it’s becoming more and more difficult to gain access to a locked account… most accounts now if you don’t know your security questions or have access to your password or MFA codes you don’t have any recourse that account is dead and will never get used again.

the company that the account is with doesn’t care if you are the legitimate owner if you can’t prove your identity you’ll have to start a new account.

So take this time to change your MFA if you are using phone based MFA to a authenticator app.

I will help at no additional charge to make sure your account is secure. just drop a message on the page.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: