Any kind of multifactor authentication is better than nothing, but one particular method is less secure than previously thought.
In October 2024, The Wall Street Journal reported a major hack against the U.S.-based telecommunications companies AT&T, Verizon and Lumen Technologies. In the following months, as U.S. intelligence agencies investigated the hack and its scope, they released new guidelines that would allow people to keep their data and information secure.
On Dec. 18, 2024, the Cybersecurity and Infrastructure Security Agency released new recommendations for cybersecurity on mobile phones. One item on the list recommended against using a specific type of two-factor or multifactor authentication (2FA and MFA, respectively). The memo was reported on by News Nation, and several Snopes readers wrote in asking us about the recommendations.
The memo does not claim that all forms of multifactor authentication are insecure. In fact, the memo still recommends using multifactor authentication. However, there are multiple ways MFA can be implemented. The report said one common MFA technique, text messaging, was insecure.
Multifactor authentication is a common cybersecurity practice that involves using an extra location- or device-specific password. For instance, when logging into a Google account using MFA, simply typing in an email and password is not enough. Users must also tap a prompt on a device already linked to the Google account confirming that yes, it is them trying to log in. Another common form of MFA is the getting a code via text message.
As previously reported by Snopes, the break-in allowed hackers to read some, but not all, text messages. While iPhones could securely send messages to iPhones and Androids could securely send messages to Androids, messaging between the two platforms was not secure. Because some MFA tools use that same insecure messaging system, they could also be vulnerable -- hackers could theoretically read the code and use it to access an MFA-protected account.
The report recommended that, at the bare minimum, people should move away from text message MFA to an authenticator app. These apps also have a problem (they are weak to phishing attacks, where a bad actor pretends to be a legitimate website in order to get a user to reveal personal information), but the CISA recommendation considered authenticator apps more secure than MFA with text messages.
The only method of MFA that is phishing-resistant is called FIDO, which uses either a digital passkey or physical USB device that must be plugged into a computer. According to the FIDO Alliance, which developed the technology, using the most up-to-date FIDO protocol allows users to log in to a service using a pin or a biometric form of identification, like a fingerprint or a face scan, instead of typing in a password.