As promised in my last article, this week we're going to dive into multi-factor authentication (MFA, also known as 2FA for two-factor authentication), the critical second layer of security that protects your accounts when passwords fail. But not all MFA methods are created equal, and some might actually leave you more vulnerable than you'd think...
The concept behind MFA is simple: require something you know (password), plus something you have (a device or token) to prove you're really you. When implemented properly, it's extremely effective. But when companies force specific authentication methods upon users without understanding the security implications - particularly SMS-based verification - they're not just being annoying, they're potentially compromising your security.
Let me share a particularly frustrating experience. Facebook insisted I add my phone number to my account "for security purposes." Despite already having a proper authenticator app set up for 2FA and access to my email address, I reluctantly complied. Then disaster struck while I was overseas. Despite paying for a long term contract, my provider expired my phone number and it was reassigned to someone else.
Then, when attempting to log in from their new phone, Facebook gave precedence to the random stranger who now possessed my old phone number, despite all my other verified credentials... This stranger didn't have my password, couldn't access my email, and couldn't provide my authenticator codes - yet Facebook deemed the phone number alone sufficient to supersede everything else.
This highlights the fundamental problem with phone-based verification: phone numbers are neither permanent nor secure. They can be reassigned when services lapse, and can be stolen through SIM swapping attacks, or spoofed through various technical exploits. Yet many organisations insist on collecting your phone number, not primarily for your security, but for their own data collection purposes disguised as "security measures" or to satisfy Know Your Customer (KYC) requirements.
The bitter irony is that while these companies claim to be enhancing security, they're actually introducing significant vulnerabilities by relying on the least secure form of MFA available. Any authentication system that can be compromised by a third party gaining control of your phone number - whether through social engineering a mobile carrier's customer service representative or simply being the lucky recipient of your recycled number - is fundamentally flawed.
What should companies be doing instead? Prioritising authentication app-based 2FA (like Google Authenticator or Authy) or hardware security keys (like YubiKey). Biometric verification, though often touted as convenient, is just another form of problematic KYC - once your fingerprint or face scan is compromised, you can't exactly change them like a password.
These biological identifiers become permanent, unchangeable records in company databases, creating lifelong security risks. The stronger options provide significantly better security without the transferability issues inherent to phone numbers or the permanence problems of biometrics. More importantly, companies should design account recovery processes that don't undermine their entire security model at the first sign of trouble.
As businesses increasingly rely on digital services, it's crucial to understand what's happening behind the scenes with your accounts and data. Be wary of organisations that insist on phone number verification while offering no alternatives. When possible, insist on authenticator apps, avoid linking critical accounts to phone numbers, and remember that true security comes from proper implementation, not just ticking compliance boxes or harvesting your personal data.
Are your authentication methods truly secure, or just creating a false sense of security? Does your company need guidance implementing proper MFA solutions that balance security with usability?
Get in touch today, and let's ensure your security measures are actually making you more secure - not less.
