FBI SMS autenticazione a due fattori

FBI warns against using SMS in two-factor authentication

In recent years, thetwo-factor authentication or 2FA has become an essential tool for protecting your online accounts, adding an additional layer of security beyond the simple combination of a username and password. However, not all 2FA methods are equally secureand theFBI (Federal Bureau of Investigation) recently issued a significant warning: stop using SMS as a means of verificationas judged unsafe. This recommendation comes after one of the largest security breaches in US history was attributed to the group Salt Typhoonthe alleged “operational arm” of the Chinese government, which has demonstrated how vulnerable telecommunications networks are and raised global concerns about data security. Even the CISA (Cybersecurity and Infrastructure Security Agency), advises against the use of SMS as a verification tool, judging it as «not resistant to phishing». Much better to opt for safer solutions, such as authentication app, FIDO security keys or passkey systemsdesigned to resist even the most sophisticated attacks.

The SMS problem according to the FBI and the threat of phishing attacks

Two-factor authentication via SMS involvessending a temporary code via text message to the user’s phone number. This method, while undoubtedly very practical, presents significant vulnerabilities. Text messages are not encrypted, meaning they can be intercepted by malicious actors with access to telecommunications networks.

Second Yashin Manrajcybersecurity expert, the main risk lies not only in the interception of codes, but also in the ease with which users fall victim to phishing attacks. To the site NewsNation in fact he declared:

In terms of SMS, the biggest concern isn’t two-factor authentication, but the fact that people click on a lot of links. I believe 60-70% of active and successful hacks are because people have been able to send phishing links that are basically able to hijack user information, banking information or access to infrastructure more critical.

Safer alternatives to 2FA via SMS

To improve security, CISA recommends: adopt more robust alternatives to 2FA via SMS. The authentication apphow Google Authenticator or Microsoft Authenticatorgenerate temporary codes directly on the user’s device, making them inaccessible to anyone without physical access to the device. Another reliable option is represented byFIDO-based authentication (Fast IDentity Online), which uses physical security keys or biometric technologies to verify the user’s identity.

Another safe system is represented by the increasingly widespread passkeywhich completely eliminate the need for “traditional” passwords, which base their operation on advanced encryption standards and the use of biometric data saved on the device, making unauthorized access to accounts practically impossible, even in the event of phishing .

Best practices for protecting your accounts

In addition to choosing secure authentication methods, CISA suggests some fundamentals best practices for protecting devices and personal data.

  • Keep your smartphones and computers updated with the latest security updates available.
  • Enable PIN protection for SIMs and use strong passwords.
  • Use a password manager to create and store unique, complex credentials for each account, avoiding the use of predictable or reused combinations.