Trends Report

Remote Workers Turning To SMS-Based Two-Factor Authentication Is Much Better Than Passwords, But It Won’t Stop Targeted Attacks

Sean Ryan
Brian Kime
Sep 22, 2020

Summary

Security leaders responsible for authentication approaches at their organization should read this research to understand the current state of adoption as well as future solutions. Forrester estimates that 70% of organizations are still password-centric. When entire workforces were forced to go remote, most of these companies started using two-factor authentication (2FA) in the form of a one-time password (OTP) over SMS. This is quickest to deploy because it avoids installing a mobile app but is also susceptible to compromise in certain cases. SMS 2FA can prevent up to 96% of bulk phishing and 100% of bot threats (automated software attempting to crack weak or known passwords). However, SMS 2FA only stops 76% of narrowly targeted attacks. Multifactor authentication (MFA) and passwordless approaches provide superior security for preventing account takeover but are more expensive and may require new technical skills and knowledge to deploy and operate. Consider total cost of ownership and user experience implications. Develop threat models for different user populations and base authentication options on those models. Privileged users, senior executives, and employees in finance and HR are likely targets, so consider implementing more robust security measures such as hardware security tokens for these users first. Schedule an inquiry for further guidance.

Log in to continue reading
Client log in
Welcome back. Log in to your account to continue reading this research.
Become a client
Become a client today for these benefits:
  • Stay ahead of changing market and customer dynamics with the latest insights.
  • Partner with expert analysts to make progress on your top initiatives.
  • Get answers from trusted research using Izola, Forrester's genAI tool.
Purchase this report
This report is available for individual purchase ($1495).