It’s delightful to see that more and more websites, apps and services employ MFA and even make this type of log-in protection a mandatory feature. What makes us a bit concerned, is that a huge portion of those websites still opt for SMS 2fa. Despite the facts that SMS verification has too many limitations and has been proven to be a lot less secure as any other two-factor authentication method. In fact, NIST (the National Institute of Standards and Technology) has issued a recommendation to replace SMS authentication with other types of MFA back in 2016. We do believe that SMS protection is way better than no protection at all. But is SMS secure? If it’s not, why so many companies continue to use it? Is SMS two-factor authentication really as evil as they say it is? What can it be replaced with? Let’s find out! SMS Authentication Pros SMS two-factor authentication is still alive and striving partly because of SMS ubiquity. It is a standard feature of most mobile plans from basically every mobile operator all over the world. Even if a user has no smartphone, they most probably have a simple mobile phone, which supports SMS.It is easy. There’s no need to download any apps, scan any QR codes, etc. SMS has been around for quite a while (the first SMS was sent back in 1992), even my grandmother knows how to use it, and she’s 90. So if you’ve got a non-tech savvy user you can bet they will be able to use an SMS authentication code, while a more advanced MFA type might become an issue.Finally, if someone tries to breach your account, an SMS code will be delivered no matter what. Some MFA apps, for instance, might malfunction in this scenario if there’s no Internet access. And with a two-factor authentication SMS you’ll know for sure something’s not right. Unless, of course, it’s a spoof SMS, or you are not the one receiving the verification password. And that’s where we come to the cons of SMS MFA.   SMS Authentication Cons As a number of infamous data breach scandals has shown over the last couple of years – breaking into an SMS protected account is not that hard for an average crook, and very easy for a well-equipped and motivated one.  The well-known Twitter break-in was done by impersonating the victim and convincing the provider company to transfer the victim’s text messages to the perpetrator’s SIM card. This is rather easy to do, especially if the criminals know some other bit of information about you, your social security number for example.A similar way to intercept your SMS one-time passwords is again by impersonating you, but this time requesting your telecom service provider to transfer the service to a different carrier. The criminals simply set up with another provider and carry on with their crime.Most of the SMS-based MFA systems offer a recovery option in case a user loses their phone or changes the number. If the hacker has access to your email they can reset the 2FA system, use the fake phone number for verification and you won’t even notice until it’s too late.If you are still wondering how secure is SMS, just consider the following. All the telecom infrastructure around the world relies on Signaling System 7 telephony protocol (SS7). This protocol is a way for the telecom networks to communicate between themselves, to start and end calls and perform other services, like SMS. SS7 was developed in 1975 and its vulnerabilities are well-known. Intercepting a text message exploiting these vulnerabilities is an SMS authentication hack that is painfully obvious and very easy to...