Cygilant Blog

Should You Switch from SMS-based Two-factor Authentication to U2F Fobs?

Posted by Trevan Marden on Aug 1, 2018

two-factor-authenticationThe quick answer is probably yes, wherever you can.

Google recently announced that since deploying physical security fobs to all of its employees, none had been successfully phished on work-related accounts. Google also announced plans to introduce its own hardware fobs – the Titan Security Key, although they look suspiciously identical to those currently offered by Feitian. This may be the endorsement needed to force greater support for the U2F standard which employs a physical fob to generate authentication tokens as a second factor.

In recent years, we’ve continued to hear how bad passwords alone are at securing login; even with complexity and length requirements. Many services and website now support two-factor login; but the majority of these are only using an SMS message sent to your cell phone as the second factor. As a result hackers have been finding ways to divert these messages through “port-out” scams – essentially social engineering your cell provider to redirect your service and phone number to their phone, so they can get access to your two-factor auth codes and drain your accounts or steal your Instagram handle. NIST also warns against SMS messages due to notable vulnerabilities in the way that cell towers authenticate phones that can lead to spoofing and capturing the messages in transit.

Hopefully with the latest endorsement by Google, we will see more widespread support for hardware tokens based on the U2F standard. This is likely the best option available currently. So, if you’re able to switch to a U2F fob instead of SMS-based authentication for the services you use, you should consider doing so. Of course, there are downsides to fobs as well, such as losing the physical fob or a malfunction, which is why it is recommended to have backup fobs as well.

It’s important to also realize that in security, it is only a matter of time until hackers find ways to breach even the newest protections. For this reason, it’s important to remain vigilant in monitoring your devices and network for anomalous activity and unpatched vulnerabilities and quickly responding to any identified issues before they lead to a data breach. For organizations with limited resources, Cygilant’s SOCVue services provide the people, process, and technology to deliver 24x7 security monitoring, vulnerability and patch management at affordable costs.

Learn more about Cygilant in this brief video:

Curious How SOCVue Can Help? Watch Now

Most Recent Posts

Subscribe to the Cygilant Newsletter