Two-way authentication via SMS is simply insecure
Sending security tokens via SMS is often still considered a secure method in two-way authentication. However, US authorities are warning against using this method after serious attacks on critical infrastructure.
Experience from Salt Typhoon
A recent cyberattack, dubbed the “Salt Typhoon,” has exposed serious vulnerabilities in the U.S. telecommunications infrastructure. Hackers believed to be close to the Chinese government have reportedly gained access to unencrypted communications such as phone calls and text messages.
The attack is considered one of the worst in US history. The US agency Cybersecurity and Infrastructure Security Agency (CISA) warned Therefore, this week we expressly caution against using SMS as a method for multi-factor authentication (MFA). Their current policy states: “SMS messages are not encrypted. An attacker with access to a telecommunications network can intercept and read these messages.” SMS-MFA is not a safe option, especially for high-ranking targets.
CISA’s recommendation is to use phishing-resistant methods such as authentication apps or passkeys instead. While not all services offer alternative MFA options, users should switch to more secure alternatives when possible.
FBI open to crypto
Salt Typhoon certainly left an impression on the security authorities. This is reflected, among other things, in the fact that even the FBI, which has traditionally taken a skeptical stance towards strong encryption, now recommends its use.
The agency has advocated for using apps like Signal that offer end-to-end encryption. These guarantee secure communication and are compatible with common operating systems such as iOS, Android, Windows and MacOS. CISA highlights that encrypted messaging apps are critical not only for individuals but also for government agencies. The goal is, after all, to protect communication channels from potential eavesdropping attempts.