Any MFA Is Better Than No MFA
It is difficult to emphasize enough the importance of multi-factor authentication (or MFA). It isn’t enough to protect your account with a password alone. You need a secondary security solution that ensures bad actors can’t break into your account if your password leaks. While there are a few different types of MFA to choose from, with varying levels of security,
February 28, 2023
It is difficult to emphasize enough the importance of multi-factor authentication (or MFA). It isn’t enough to protect your account with a password alone. You need a secondary security solution that ensures bad actors can’t break into your account if your password leaks. While there are a few different types of MFA to choose from, with varying levels of security, the bottom line is this: Any MFA is better than no MFA.
Twitter was once again in the news last week thanks to a sudden security policy change: Anyone who isn’t subscribed to Twitter Blue, meaning anyone who uses Twitter for free, will lose access to SMS-based MFA. These users will have the option to switch to an alternative form of MFA, such as via an authenticator app or security key, or to go without.
It’s a frustrating move from a cybersecurity perspective. It is difficult enough to convince users to opt-in to advanced security methods like MFA. To then take away that method from those users for not paying for the service, and turning MFA into a financial incentive rather than a security good, will put Twitter accounts in jeopardy.
However, the move has jump-started a second, perhaps unintended discussion around MFA in general: If given the choice you shouldn’t pick SMS-based MFA for your security needs.
The issue is that authenticator apps and security keys are more secure than SMS for MFA. With SMS, the security lies in the idea that only you have access to the cell phone receiving the MFA code. In practice, that’s often true. However, if someone gains access to your smartphone, they can trigger your SMS-based MFA, receive the code, and break into your account.
But it goes beyond that: Phone numbers are, unfortunately, susceptible to hacking. It’s possible for bad actors to hijack your phone number by tricking carriers into thinking they’re you, and transferring your number to their SIM (an act called SIM-swapping). If that happens, their phone now has your number, and will receive any SMS-based MFA codes they trigger.
It’s because of these security holes that the recommendation is to choose a different option for MFA, when available. Authenticator apps let you save account tokens on your device with its own unique password, so only you can access your MFA codes when needed. Security keys operate in a similar way, only authenticating an account when you connect the physical security key to your device.
However, the title of this article still stands: Any MFA is better than no MFA. If an account only lets you add SMS-based MFA, do it. If SMS-based MFA is the most convenient option for you, do it. The most important thing is to use MFA whenever you can. Twitter doing away with free SMS-based MFA means a lot of people are about to stop using it. And that’s a bad thing for everyone, besides the hackers.