The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidelines warning against using text messaging as a method of two-factor authentication (2FA) on mobile devices. The recommendation comes in response to the recent hacking incident affecting AT&T, Verizon, and Lumen Technologies, which allowed hackers to read some but not all text messages.
According to CISA, text messaging is an insecure way to implement multifactor authentication because it relies on the same messaging system used by attackers to gain unauthorized access. To avoid this vulnerability, users are advised to switch from text message-based MFA to authenticator apps, which may have their own security risks but are considered more secure than traditional MFA with text messages.
The only method of multifactor authentication that is phishing-resistant is FIDO, which uses a digital passkey or physical USB device. Users can log in to services using a pin, biometric form of identification, or other secure methods, making it the recommended choice for protecting sensitive information.
Source: https://www.snopes.com/news/2024/12/24/fbi-two-factor-authentication