Reddit, an online discussion platform, does not recommend the use of SMS as an extra authentication step. Even so, SMS authentication is still safe enough in many applications, AG Connect reports after an interview with Fox-IT. Systems administration is not one of them.
Fox-IT notes that the possibility of SMS interception has been known for some time, but most organisations aren’t aware that it could be an issue. And using SMS authentication is better than not using any two-factor authentication at all. That’s why the security expert does not necessarily thing that SMS is unsafe. “There are lots of attackers that do nothing but trying out leaked passwords. SMS authentication protects you from these types of attacks.” In any case, SMS is not a safe authentication method for administration tools, Fox-IT says. He also advises not connecting the login page for those tools to the internet at all.
Fox-IT: Authentication app is better than SMS
For two-step authentication for administration tools and other access, a telephone app like Google Authenticator would be a better option. Fox-IT suggests U2F as an alternative, saying it’s the safest method so far. “U2F authentication offers effective protection from phishing attacks, because the URL is also checked during the login process.”