Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMS MFA and phishing resistance: are your controls keeping up?


(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

SMS MFA is a legacy assurance pattern, not a modern identity control. The article shows that the factor is bound to a telephone network, a customer-support process, and a short-lived code rather than to a cryptographic proof of possession. That makes it suitable only as a low-friction fallback, not as a control for accounts where compromise has operational or regulatory impact. Practitioners should classify SMS as a convenience factor with limited assurance value, not as a durable authentication control.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.

A question worth separating out:

Q: Who is accountable when SMS MFA fails and an account is taken over?

A: Accountability sits with the organisation that chose the assurance model, not with the attacker or the carrier alone. If the business relies on SMS for sensitive access, security, IAM, and application owners all share responsibility for the risk acceptance and the recovery design.

👉 Read our full editorial: SMS MFA is a weak control for high-assurance identity



   
ReplyQuote
Share: