top of page
  • texasitpros

Security Key vs SMS vs App: Comparing the Different Forms of MFA

phone systems, and productivity tools. Often, the only thing protecting all those cloud accounts from a breach is the weakest employee password. And even if you have strong passwords, they’re often breached through large retailer or cloud provider data breaches. So far this year, there have already been major breaches of Facebook, LinkedIn, U.S. Cellular, Microsoft Exchange, and Hobby Lobby. Once passwords are breached in a large database, they’re often sold on the Dark Web and used to access as many accounts as possible. Approximately 65% of people admit to using the same password for multiple accounts (both work and personal). Implementing MFA ensures that even if a password was exposed, the account is still secure and can’t be accessed. According to a study by Google, MFA is between 76% to 100% effective at blocking fraudulent sign-in attempts, depending upon two things:

  1. The type of attack (automated bot, bulk phishing, targeted attack)

  2. The method of receiving the MFA code (SMS, App, Security Key) MFA is so effective at blocking account compromise because the hacker typically won’t have the device that receives the MFA code required to complete the login. While you can’t control the type of attack perpetrated on your accounts, you can control the method of MFA you use. Some are more secure than others, but those that are more secure are often less convenient to users. It’s important to look at both factors when choosing the best way to implement MFA at your Denton or Wise County business.

Methods of MFA: Security & Convenience Considerations There are three common methods of receiving the code used to complete the multi-factor authentication process. We’ll take a look at each one below and compare their security and convenience factors.

SMS/Text Message The most popular method of enabling MFA is by using SMS. The user registers a mobile number to receive the code, and when they attempt to log in to an account, the time-sensitive, one-time code needed to gain account access is sent to their number via text message. Convenience: This method is the most convenient for users. There is no other app that needs to be set up, the MFA is simply set up on the account in question, and typically a test code is sent to confirm the user has access to the mobile number registered. Security: In the Google study, SMS was the least secure of the three methods of multi-factor authentication. This is because SIM cards can be cloned using malware, which would give a hacker access to all that number’s text messages. Here’s how SMS performed with all three attack methods:

  1. Targeted attack: 76% effective

  2. Bulk phishing attack: 96% effective

  3. Automated bot attack: 100% effective

On-Device Prompt Through an Authentication App Authentication apps, like Google Authenticator, are another popular way that companies implement multi-factor authentication. The app is downloaded and then set up with the various accounts being protected. When a user attempts to log in, the MFA code appears in a prompt on a mobile device with the app installed. Convenience: An MFA app is slightly less convenient than SMS because it requires the additional steps of setting up the app with each account. But it’s still fairly easy for users and provides a consistent MFA experience across multiple accounts. Security: Authentication apps with on-device prompts have a mid-range level of security. They are more secure than SMS because they can’t be accessed through a cloned SIM card. However, they can be accessed if someone steals the phone and has it in their possession. In the Google study, the on-device prompt had a mid-level of security between the other two MFA methods. Here’s how using an on-device prompt with an authentication app performed:

  1. Targeted attack: 90% effective

  2. Bulk phishing attack: 99% effective

  3. Automated bot attack: 100% effective

Security Key The method that is the least common of the three is using a security key. This is a key that is purchased from a retailer, like Yubico or Thetis. It’s roughly the size of a USB device and some are even smaller than that. The security key is set up with each account using MFA and is physically plugged into a computer or mobile device to authenticate the login. Convenience: This method is the least convenient of the three. You need to purchase the key and choose from several styles with varying prices. Users will need to keep their keys safe and secure at all times to access their accounts. Security: In the Google study, using a security key for MFA was the most secure method of the three. Even if a phone is stolen, it’s unlikely that that hacker would also have the security key. If you have strict compliance with standards like HIPAA or CMMC, then using a security key is a method that will give you the highest level of data breach protection. Here’s how using a Security Key did for all three attack methods:

  1. Targeted attack: 100% effective

  2. Bulk phishing attack: 100% effective

  3. Automated bot attack: 100% effective

Get Help Implementing MFA That’s Secure & Convenient for Your Users Texas I.T. Pros can help your Denton or Wise County business implement multi-factor authentication in a way that perfectly balances convenience and security. Contact us today to learn more! Call 940-239-6500 or reach out online.

bottom of page