5 Reasons to move away from text message authentication for multi-factor authentication

img blog Security Compliance 12

As a registered investment advisor (RIA) or financial advisor, you are always looking for ways to better secure your clients’ data. One specific way is by using multi-factor authentication or, as it’s sometimes called, two-step verification. This adds an extra layer of account security by requiring not just a password, but also a second factor, such as a text message or a code from an app, to log in.

For a long time, SMS or text message has been the most common authentication method. However, there are many reasons why text message is no longer the best option for multi-factor authentication

Text message is less secure than other authentication factors

While text message is better than not having a multi-factor authentication factor, it is not as secure as other authentication methods, like biometrics or security tokens. This is because text message is reliant on a physical device that can be lost, stolen, or compromised. By contrast, other authentication factors are more difficult to replicate or steal. For instance, biometrics are unique to each individual, while security tokens can be locked in a safe when not in use.

Text messages are not encrypted

SMS messages are sent as plain text, which means anyone can intercept and read these messages if they have access to the phone’s network. If a hacker manages to get access to your texts, they could easily find your login codes and use them to log in to your accounts. This is an especially serious security concern for an RIA or a financial advisor like you who often deals with sensitive client information.

Text messages can be synced to potentially unsecured or compromised devices

Most phones today allow users to sync text messages across multiple devices. This is convenient, but it also means that if a hacker gets access to one of your devices, they can easily get your text messages and login codes as well.

Hackers can port a phone number to a new device

In a SIM swapping attack, a hacker tricks your service provider into transferring your phone number to a new device. This gives the hacker access to any accounts that are linked to that phone number, including your email, social media, and other accounts you use for business. Once they have access to your accounts, they can do a lot of damage, such as steal your money or your clients’ confidential information.

Hackers can intercept text messages using SS7 attacks

SS7 (Signaling System 7) attacks exploit the way mobile networks route calls and text messages. This flaw allows hackers to intercept and read text messages, even if they are encrypted, as well as eavesdrop on calls and track users’ locations. SS7 attacks can be difficult and expensive to carry out, but they are a serious security concern, especially for high-profile targets like RIAs and financial advisors.

What’s the best alternative to text message?

Given all these security concerns, it’s clear that text message is no longer the best option for multi-factor authentication.  So what is a better choice? We at RIA WorkSpace recommend Microsoft Authenticator.

Microsoft Authenticator is a free app that you can use for multi-factor authentication with your Microsoft account and other online accounts, such as Facebook, Google, and Dropbox. You can download it on your phone or tablet from the App Store or Google Play.

Microsoft Authenticator is more secure than SMS because it uses a time-based one-time password (TOTP) instead of a simple text message. TOTP is a computer algorithm that generates a unique code at set intervals, such as every 30 seconds. Each code can be used only once and expires after a short period, so even if a hacker manages to intercept a code, they can’t use it to log in if the code has expired.

Microsoft Authenticator is also convenient and easy to set up. Once you’ve downloaded the app, you simply need to add your accounts and turn on multi-factor authentication. Whenever you sign in to one of your accounts, you’ll enter your username and password as usual, and then you’ll be prompted to open Microsoft Authenticator and enter the code that it generates. You can simply copy and paste the code, or, if you’re using a Microsoft account, you can even approve the sign-in with a single tap.

So if you’re looking for a better way to secure your online accounts, we encourage you to ditch SMS authentication and give Microsoft Authenticator a try. It’s easy to use and effective in protecting your accounts from hackers.

Related reading: Microsoft Authenticator: Secure authentication for RIAs and financial advisors

For other ways to keep your accounts and clients’ information safe, get in touch with our experts at RIA WorkSpace. We specialize in all things IT for RIAs and financial advisors and can help you implement the best solutions for your firm.