Remote Workers Turning To SMS-Based Two-Factor Authentication Is Much Better Than Passwords, But It Won’t Stop Targeted Attacks

Security leaders responsible for authentication approaches at their organization should read this research to understand the current state of adoption as well as future solutions. Forrester estimates that 70% of organizations are still password-centric. When entire workforces were forced to go remote, most of these companies started using two-factor authentication (2FA) in the form of a one-time password (OTP) over SMS. This is quickest to deploy because it avoids installing a mobile app but is also susceptible to compromise in certain cases. SMS 2FA can prevent up to 96% of bulk phishing and 100% of bot threats (automated software attempting to crack weak or known passwords). However, SMS 2FA only stops 76% of narrowly targeted attacks. Multifactor authentication (MFA) and passwordless approaches provide superior security for preventing account takeover but are more expensive and may require new technical skills and knowledge to deploy and operate. Consider total cost of ownership and user experience implications. Develop threat models for different user populations and base authentication options on those models. Privileged users, senior executives, and employees in finance and HR are likely targets, so consider implementing more robust security measures such as hardware security tokens for these users first. Schedule an inquiry for further guidance.