When MFA and Mobile Devices Don't Mix
Common methods of implementing MFA often rely on the use of mobile devices. When an SMS message, a one-time password or a push notification is sent, it is commonly delivered to a user’s smartphone. That said, there are some risks associated with sending SMS, one-time password or push notifications for MFA. When implemented improperly or as the sole security method, messages could be hacked and codes intercepted. In fact, the U.S. government has recommended that no MFA solution should rely solely on SMS verification tools.
Ensuring Protection Outside of Mobile-Based MFA
To fill these gaps and ensure 100 percent MFA coverage, agencies may consider hardware security keys. The key is typically a physical device, often a USB drive that only grants access to accounts while it is plugged into a computer. It provides a high level of protection against phishing and hacking because no one can access an account without both the login credentials and the key. And it doesn’t rely on a phone.
Another solution is Login.gov, the General Services Administration’s cloud-based remote identity proofing platform. Login.gov provides strong authentication to allow the public to access participating programs, using MFA for desktops as well as mobile devices. The user need only set up a Login.gov account, create a strong password and then select one or more additional authentication methods. These include security keys, authentication applications, biometric methods, and personal identity verification or common access cards.