top | item 38452564

(no title)

It's extremely risky to use MFA via text messages, due to the commonality of SIM swap attacks. Attacker calls your cell phone provider, executes a social engineering attack to authenticate as you, and can now route your phone calls and text messages to a device they own. It's a good idea to avoid SMS/Phone MFA.

If you use a token generator (Google Authenticator, Authy, or the one built into products like 1Password), a shared secret key is used to generate the MFA token. You store this secret in that software, and it uses the current time + that secret key to generate the MFA token.

This is a far better mechanism than the SMS or phone call based approach. And in this mechanism you can store the secret in any software that's able to generate the token using that algorithm.

Most commonly it's this algorithm: https://datatracker.ietf.org/doc/html/rfc6238

discuss

No comments yet.