Two-factor authentication (2FA) is an indispensable cybersecurity measure used to protect data. Most of the modern information security standards despite the area of application such as PCI DSS, PSD2, HIPAA, etc., demand the multifactor authentication (MFA) among other data protection methods. This approach allows mitigating the danger coming from such attack vectors as brute force password cracking, keylogging, social engineering, phishing, and some kinds of man-in-the-middle attacks. Nevertheless, two-factor-authentication is not a cure-all solution by itself. This is just a single component in a major set of requirements for high-quality data protection. Taking care of data security means implementing a complex plan of actions. For example, this is clearly seen in the in the article 10 Steps to Eliminate Digital Security Risks in Fintech Project where we analyzed the components needed to protect payment gateways from cyber threats. In the current article, we’ll unveil all the weaknesses of two-factor authentication you have to keep in mind when strengthening your security infrastructure with MFA. And, of course, we’ll discuss all possible solutions to these weaknesses. 1. SMS authentication is not secure The US National Institute of Standards and Technology (NIST) recommended every company to abandon SMS authentication as insecure and no longer suitable strong authentication mechanism long ago. But many companies worldwide still opt for SMS to deliver the one-time passwords in their 2FA infrastructures. And it was only three months ago that Reddit has admitted this method to be not as effective and secure as the company was hoping. No doubt, SMS authentication is convenient for companies and users alike. But is this a reliable option? Unfortunately, no. Let us review the SMS authentication vulnerabilities. SIM-card Replacement In most cases, it wouldn’t be a hard task for a dedicated culprit to use a mobile operator’s SIM-card replacement service and intercept a victim’s number. The information needed for this fraud can be found in public sources or bought on the dark web. Network Protocol Vulnerabilities The next potential risk hides in the cellular protocols. And the fact that SMS exchange is not encrypted in any way. The security of SMS transport depends on the cellular network security. There is a number of vulnerabilities in consumer cellular networks as well as methods of exploiting them. Some of the most advanced ones do not even require costly hardware or specific skills. From this point of view, using SMS for security is rather dangerous. Moreover, if to take into account the fact that a usual SMS exchange is not encrypted in any way, an employee of a network center with a proper access can freely read all the messages. Not to mention all the possible ways to intercept the radio transmissions. Malware There are tons of fraudulent software aimed to steal the sensitive data. And mobile device trojans intercepting SMS messages are nothing new. Infection is immediate; the consequences are dire. Malware that ingrained itself into the gadget can play a variety of roles: Intercept the entered login credentials and one-time passwords as well; Track all the sent and received messages; Record the voice calls; Copy the SIM card parameters and contact information; Provide capabilities for remote control; Turn a device into a member of botnet or crypto-currency mining agent, etc. The tech-savvy attacker has nearly unlimited opportunities especially it concerns making use of open access to SMS messages on smartphones. Remember at least such trojans like Zeus, Zitmo, Citadel, Perkele, etc. And this is one more proof that today SMS is not the best choice for mobile two-factor authentication. What are the Solutions? Use Multi-Factor Authentication Applications One-time password generated directly on your device will fix the problem with SIM-card replacement and...