Cisco Acquires Duo, Or How Should You Do Two-Factor Authentication (2FA)?
The National Institute of Standards and Technology (NIST) has not been recommending SMS OTP 2FA for a while precisely because of SMS inbox takeovers, MITM attacks, etc.
From the license cost perspective, the price of moving away from SMS (to Google Authenticator, for example) is minimal. Google publishes guides on how to do this. From the technical support perspective, the process is marginally more expensive, as you have to support your end users’ downloads, etc. There is also a one-time cost for cutting over in terms of application integration. And finally, depending on the geography, some of your users may not have mobile internet and/or smartphones to run the app (but even on a feature phone, they have SMS, since it goes over the GSM core network).
Most IDaaS vendors — Duo Security (now acquired by Cisco), etc. — offer geofenceable push notification mobile app tokens with OTP generators for offline use. Almost all (except RSA) have OATH, TOTP, and HOTP compatibility so that you can use Vendor A’s IDaaS solution with Vendor B’s OTP token. Some exotic firms such as Comarch also offer QR-code-based offline challenge response sequences between your desktop (showing a QR code) and the mobile 2FA app (scanning the QR code); the mobile 2FA app then shows a QR code dependent on the OTP that you have to type into the app.
But in North America, developed regions of APAC, and Western Europe, there is no reason to stay on SMS now.
Most of today’s biometrics available on mobile devices (FIDO UAF) are not true 2FA, as at registration time you authenticate first with your legacy credentials on your mobile device and only then assign your fingerprint or face ID to log into the app. FIDO’s U2F is true 2FA, but viable biometric U2F implementations today are few and far between.
Risk-based authentication makes life a little easier for your users: The system generates a centralized risk score based on your IP geolocation, GPS geolocation, device ID/fingerprint, and its reputation. If the risk score is low (i.e., you’re coming in from your office on your desktop/laptop), you don’t have to use 2FA. But if the risk score is high, you will be challenged for 2FA.