For years, multi-factor authentication (MFA) has been an important security upgrade for businesses. Instead of relying on just a password, MFA adds a second step that usually requires a code sent to your mobile phone or generated by an app on a second device. That extra step has stopped countless cyber-attacks, and while MFA is still essential, it is no longer enough on its own to protect your business’s data. But let’s break down exactly what that means.
The most familiar type of MFA is a four or six-digit code sent by text message (SMS). The problem is SMS was never designed to be a completely secure authentication method.
Attackers can intercept these text messages through weak cellular networks and in some cases, they don’t even need access to your phone. There are known vulnerabilities in phone systems that allow messages to be redirected or intercepted behind the scenes. Additionally, attackers can trick mobile carriers into transferring a victim’s phone number to a new SIM card (called a “SIM swap”). When this happens, your phone goes offline and the attacker begins receiving your calls and MFA codes.
This doesn’t require advanced hacking skills. If someone can trick a user, they can often bypass SMS-based MFA.
Another growing threat we’ve seen is “MFA fatigue.” In these attacks, a hacker repeatedly attempts to log in, triggering dozens of approval requests to the user’s phone. Sometimes, out of frustration or confusion, the user taps “approve” just to make it stop. That single tap can give an attacker full access.
Modern authenticator apps reduce this risk with “number matching”, where the user must type a number displayed on their screen into the app. This confirms they are physically present at the device. But many organizations still haven’t added this protection.
Recently, phishing emails have become extremely convincing. Instead of sending messages that are clearly fake, attackers are now creating believable copies of login pages.
When a user enters their username, password, and types their MFA code, attackers can capture all of it and immediately log in themselves.
The FBI has warned that SMS phishing and voice-based attacks against businesses are increasing because they work. But there are ways to protect against this.
To stay ahead of these threats, businesses are moving toward a more attacker-resistant method of MFA. This includes:
• Authenticator apps with number matching
• Hardware security keys
• Passkeys protected by fingerprint or facial recognition
• Device-based authentication that verifies both the user *and *the device
Modern security solutions also check the health and identity of the device trying to log in, not just the username and password. If the device isn’t recognized or doesn’t meet security standards, access is denied. This layered approach, called “zero trust”, assumes nothing and verifies everything before granting access.
MFA is essential but is no longer enough. Upgrading to additional authentication methods is one of the smartest and most cost-effective cybersecurity investments you can make today.
If you’re unsure whether your current MFA setup is truly protecting your business, now is a good time to take a deeper look. Our team of technicians at GMITS are happy to review your current setup and help you implement a stronger, user-friendly solution!
