Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
Instant Email Domain Score
By joining forces with Sendmarc, VirtueUK is committed to offering enhanced security measures, ensuring that sensitive data and communications are protected from cyber-attacks. Check your email domain score instantly here.
Interested in a Free Phishing Security Test?
VirtueUK are partners with KnowBe4, the world's largest security awareness training and simulated phishing platform.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
For many years, Multi-Factor Authentication (MFA) has been fundamental to safeguarding accounts and devices. While MFA continues to be a vital security measure, the threat landscape has evolved, rendering some legacy methods less effective. As a Managed Service Provider (MSP), we recognise the importance of staying ahead of emerging threats and continually enhancing our clients’ security posture.
The most prevalent form of MFA – one-time codes sent via SMS – offers convenience and familiarity, yet it is increasingly vulnerable. Cybercriminals have developed sophisticated techniques to bypass SMS-based authentication. Making it inadequate for organisations managing sensitive information. SMS technology, originally designed for basic communication, was never intended for secure authentication. Its dependence on cellular networks exposes users to inherent vulnerabilities, particularly within telecommunication protocols like Signaling System No. 7 (SS7).
Attackers are aware that many organisations are still rely on SMS for MFA, making these organisations prime targets. By exploiting SS7 flaws, malicious actors can intercept text messages without direct access to a user’s device. Techniques such as eavesdropping, message redirection, and injection can occur within the carrier network or during transmission, putting critical credentials at risk. Furthermore, SMS codes are susceptible to phishing; if users enter their credentials and MFA code on a fraudulent site, attackers can immediately gain unauthorised access.
Understanding SIM Swapping Attacks
One of the most significant threats to SMS-based security is SIM swapping. In these attacks, criminals impersonate legitimate users when contacting mobile carriers, claiming a lost device and requesting the transfer of the phone number to a new SIM card. Upon success, the victim’s phone is disconnected, and the attacker receives all calls and SMS messages, including MFA codes for critical accounts. This method relies on social engineering rather than technical expertise, making it a low-tech yet high-impact threat.
Why Phishing-Resistant MFA Is the New Gold Standard
To effectively mitigate these risks, it is imperative to eliminate the human element from authentication processes by implementing phishing-resistant MFA. This advanced approach leverages secure cryptographic protocols that bind authentication attempts to specific domains. The Fast Identity Online 2 (FIDO2) standard, for instance, utilises passkeys generated through public key cryptography, linking each device to a designated domain. Even if a user interacts with a phishing site, the authenticator will not release credentials unless the domain matches the expected record, thereby neutralising phishing attempts.
Additionally, phishing-resistant MFA solutions are passwordless, reducing the likelihood of credential theft and one-time password interception. Attackers are compelled to target endpoint devices directly, which presents a significantly higher barrier compared to deceiving users.
Implementing Hardware Security Keys
Among the most robust solutions are hardware security keys – physical devices similar to USB drives, which can be connected to computers or tapped against mobile devices. Authentication is achieved through a cryptographic handshake, requiring only the insertion or tap of the key. This method eliminates the need for manual code entry and prevents remote theft of authentication credentials; access is only possible if the physical key is in the attacker’s possession.
Mobile Authentication Apps and Push Notifications
For organisations where hardware keys are not practical, mobile authenticator applications such as Microsoft Authenticator or Google Authenticator present a viable alternative. These apps generate authentication codes locally on the device, mitigating risks associated with SIM swapping and SMS interception. While push notifications streamline the user experience, they can introduce vulnerabilities such as “MFA fatigue,” where users may inadvertently approve fraudulent login attempts due to notification overload. Modern solutions now incorporate “number matching,” requiring users to enter a unique code displayed during login, ensuring that only legitimate access is granted.
Passkeys: The Future of Authentication
With password breaches becoming increasingly common, the industry is shifting toward passkeys – digital credentials securely stored on a user’s device and protected by biometric authentication such as fingerprint or facial recognition. Passkeys are inherently resistant to phishing and may be synchronised across platforms like iCloud Keychain or Google Password Manager, combining robust security with user convenience. By eliminating passwords, passkeys reduce IT support burdens and streamline the authentication process for end users.
Balancing Security with User Experience
Transitioning from SMS-based MFA to modern authentication methods requires a strategic approach and clear communication. Users are accustomed to the simplicity of SMS codes, and introducing physical keys or authenticator apps may be met with resistance. As an MSP, we prioritise educating users about the risks of outdated methods, such as SIM swapping, and emphasise the importance of protecting sensitive information. A phased implementation can facilitate user adoption, but phishing-resistant MFA should be mandatory for privileged accounts, including administrators and executives.
The Costs of Inaction
Maintaining legacy MFA solutions poses significant risks, offering only a false sense of security and leaving systems exposed to costly breaches. Upgrading to advanced authentication technologies yields substantial returns on investment, as the expenses associated with hardware keys or management platforms are minimal compared to the financial and reputational impact of cyber incidents.
Is your organisation prepared to move beyond passwords and SMS codes? As a trusted MSP, we specialise in deploying modern identity solutions that safeguard your data while ensuring a seamless user experience. Contact us today to discuss how we can tailor a secure and efficient authentication strategy for your organisation.