After reading this article, you’ll:
- Understand the critical security differences between SMS-based 2FA and authenticator apps, including why CISA and the FBI now recommend avoiding SMS for multi-factor authentication in corporate environments and the specific vulnerabilities like SIM-swapping that make SMS codes susceptible to interception.
- Learn how to implement robust two-factor authentication in your mobile apps that protects your organization from credential theft, phishing attacks, and unauthorized access while balancing security with user experience.
- Gain practical knowledge of enterprise-grade authentication best practices, including FIDO2/WebAuthn standards, biometric integration options, and strategies for migrating your workforce from vulnerable SMS-based authentication to more secure alternatives.
The proliferation of mobile devices in the workplace has transformed how businesses operate, communicate, and serve their customers. But this surge in mobile app usage has been paralleled by an alarming increase in security threats. From data breaches to identity theft, the vulnerabilities associated with traditional password-only authentication have become impossible to ignore. According to Microsoft, more than 99.9% of compromised accounts don’t have multi-factor authentication enabled, and their systems face over 1,000 password attacks every second.
For businesses developing and deploying mobile applications, the question is no longer whether to implement two-factor authentication—it’s which method provides the best balance of security and user experience. And in late 2024, that question received a definitive answer from the highest authorities in cybersecurity.
In December 2024, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a stark warning to American businesses and consumers: stop using SMS codes for two-factor authentication. The guidance came in response to the Salt Typhoon cyber espionage attacks, where nation-state actors infiltrated multiple telecommunications companies and accessed call and data logs for an unknown number of victims.
This article explores everything you need to know about implementing two-factor authentication in your corporate mobile apps, with a detailed comparison of SMS-based verification versus authenticator apps—and why one of these methods should no longer have a place in your security strategy.
Understanding Two-Factor Authentication: The Foundation of Mobile Security
Two-factor authentication (2FA) adds an additional layer of security beyond traditional passwords by requiring users to provide two different forms of verification. This approach is based on the principle that authentication factors fall into three categories: something you know (like a password), something you have (like a phone or hardware token), and something you are (like a fingerprint or facial recognition).
The concept is straightforward: even if an attacker obtains your password through phishing, malware, or a data breach, they still cannot access your account without the second factor. This single principle has made 2FA one of the most effective security measures available. According to research from JumpCloud, using MFA reduces the risk of account breach by more than 99.9%, and two-factor authentication stopped 42% of cyberattacks in 2024, which would have caused companies to lose an estimated $14.7 billion in revenue.
For mobile app developers, integrating 2FA into applications has become not just a best practice but increasingly a regulatory requirement. Industries like healthcare must comply with HIPAA, payment processing applications must meet PCI-DSS standards, and virtually every business handling European customer data must consider GDPR requirements.
The multi-factor authentication market reflects this growing importance. As of 2024, the global MFA market size has grown to around $16.3 billion, and it’s projected to reach $83.72 billion by 2034, representing a compound annual growth rate of 17.39%. This explosive growth demonstrates that businesses worldwide are recognizing the critical importance of moving beyond password-only authentication.
The Current State of 2FA Adoption in Enterprise Environments
Despite the clear benefits, 2FA adoption remains uneven across the business landscape. According to JumpCloud’s 2024 IT Trends Report, 83% of organizations use password-based authentication for some IT resources, and 83% also require MFA. However, the implementation quality and method selection vary significantly.
A KnowBe4 survey of 2,600 IT professionals reveals a striking divide between large organizations and small to mid-sized businesses. While only 38% of large organizations neglect to use multi-factor authentication for securing user accounts, a much higher proportion—62%—of small to mid-sized organizations do not implement MFA at all.
Among those who have implemented 2FA, the methods used vary considerably. Around 41% of users rely on SMS-based verification, while 28% use authenticator applications such as Google Authenticator or Authy. Biometric methods including fingerprint and facial recognition have surged to 21% adoption in 2024, up from just 12% in 2022.
Perhaps most telling is user sentiment: while more than half of individuals hold a positive opinion of online platforms implementing MFA, 33% of users find 2FA annoying, 23% consider it too complex, and another 23% cite it as being too slow. This tension between security and convenience drives much of the debate around which 2FA methods to implement.
SMS-Based Two-Factor Authentication: Convenience at a Cost
SMS-based two-factor authentication works by sending a one-time password (OTP) to a user’s mobile phone via text message. When attempting to log in, users enter their password and then receive a code via SMS that they must enter to complete authentication. The appeal is obvious: virtually everyone has a mobile phone capable of receiving text messages, setup is nearly effortless, and the technology is familiar to users of all technical backgrounds.
As Johns Hopkins University professor of cryptography Matthew Green points out, SMS 2FA is almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately, none of the same things are true for authenticator apps or hardware security keys.
This accessibility has made SMS the most popular 2FA method globally. According to Statista, at least 98% of organizations worldwide support multiple forms of authentication, with SMS-based time-based one-time passwords supported by about 56% of survey respondents. The familiarity and ease of implementation have made it the default choice for many applications.
However, this convenience comes with significant security trade-offs that have become increasingly difficult to ignore.
The Critical Vulnerabilities of SMS-Based Authentication
Security experts have warned against SMS-based 2FA for years. NIST issued guidance discouraging the use of SMS as an authenticator as early as 2016. But now, after numerous high-profile MFA bypass attacks, this advice has become impossible to ignore. CISA’s Mobile Communications Best Practice Guidance puts it bluntly: “Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.”
The vulnerabilities of SMS-based 2FA can be categorized into several distinct attack vectors:
SIM Swapping Attacks
SIM swapping (or SMS swapping) occurs when attackers convince mobile carriers to transfer a target’s phone number to a SIM card they control. Once successful, they receive all SMS messages intended for the victim, including MFA codes. This technique has fueled financial fraud and corporate breaches costing organizations millions. SIM swapping attacks have surged 400% since 2020, demonstrating the growing sophistication and frequency of this threat.
A high-profile example occurred in 2019 when Twitter CEO Jack Dorsey fell victim to a SIM-swapping attack. Cybercriminals managed to trick Dorsey’s mobile carrier into transferring his phone number to a new SIM card, allowing hackers to bypass the SMS-based 2FA on his Twitter account and temporarily take over the account. In the financial sector, crypto investor Michael Terpin lost $24 million in 2018 after a teenager intercepted his SMS codes through a SIM swap attack.
SS7 Protocol Vulnerabilities
The SS7 (Signaling System 7) protocol, developed in the 1970s, forms the backbone of global telecommunications networks. It was designed when trust between network operators was assumed, and security was not a primary concern. Today, attackers can exploit flaws in the SS7 protocol to redirect text messages to their own devices without the victim’s knowledge. These vulnerabilities allow sophisticated attackers—particularly nation-state actors—to intercept SMS messages in transit, including authentication codes.
Social Engineering and Smishing
Smishing, or SMS-phishing attacks, trick users into handing over their information, including OTPs, on fraudulent websites. Attackers can also trick employees into resetting MFA settings through social engineering, exploiting SMS-based verification. Groups like Scattered Spider have successfully bypassed SMS 2FA in multiple high-profile breaches, proving how effective targeted social engineering can be when combined with SMS vulnerabilities.
Phone Number Recycling
When users change phone numbers, their old numbers are eventually recycled and assigned to new customers. Attackers purchase blocks of recycled or unused numbers, betting that some remain linked to online accounts. With bulk automation, they test for accounts tied to those numbers and attempt takeovers. This creates an invisible vulnerability: even if you’ve changed your number, your old accounts might still be accessible to whoever receives your former number.
Lack of Encryption
Unlike modern messaging applications that use end-to-end encryption, SMS messages travel through carrier networks in plain text. Anyone with access to the telecommunications infrastructure—whether through legitimate employment, hacking, or government authority—can potentially read these messages. The Salt Typhoon attacks exploited exactly this vulnerability, with nation-state actors infiltrating telecom companies to access unencrypted communications.
Authenticator Apps: A More Secure Alternative
Authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy generate time-based one-time passwords (TOTP) locally on the user’s device. These codes change every 30 seconds and are never transmitted over any network, eliminating the vulnerabilities inherent in SMS-based authentication.
The technology works by establishing a shared secret between the app and the service during initial setup. The authenticator app then uses this secret, combined with the current time, to generate a new code every 30 seconds using a standardized algorithm (typically HMAC-SHA1). Because both the app and the server know the secret and the time, they can independently generate the same code without any communication between them.
This approach provides significant security advantages over SMS while maintaining reasonable usability for most users.
Key Security Advantages of Authenticator Apps
Immunity to SIM Swapping: If an attacker hijacks a phone number, they don’t automatically get your TOTP codes. The codes are generated on the device itself, not delivered through carrier infrastructure.
No Network Transmission: Codes never travel through telecommunications networks, eliminating the risk of interception through SS7 vulnerabilities or compromised carriers.
Offline Functionality: Authenticator apps work even without cellular or internet connectivity, which is useful for travel, restricted environments, and areas with poor signal.
Reduced Phishing Vulnerability: Even if a user is tricked into entering a code on a phishing site, the code is only valid for a short period and cannot be reused, limiting potential damage.
Local Encryption: Many authenticator apps encrypt stored secrets, adding an additional layer of protection against device-level attacks.
Popular Authenticator Apps for Enterprise Deployment
Google Authenticator: A straightforward, widely-recognized option that generates TOTP codes. Recent updates have added cloud backup functionality, though this introduces a potential security trade-off.
Microsoft Authenticator: Integrates deeply with Microsoft’s ecosystem and supports push-based approval in addition to TOTP codes. Particularly valuable for organizations using Microsoft 365 or Azure AD.
Authy: Offers encrypted cloud backup and multi-device synchronization, addressing the recovery challenges that plague other authenticator apps while maintaining strong security.
1Password and Similar Password Managers: Many password managers now include TOTP generation, allowing users to manage passwords and 2FA codes in a single, encrypted vault.
SMS vs. Authenticator Apps: A Comprehensive Comparison
Understanding the differences between these two methods requires examining them across multiple dimensions relevant to enterprise mobile app development.
Security Comparison
SMS messages travel through mobile carrier networks, which were never designed to be a secure authentication channel. They are susceptible to SIM-swap attacks, SS7 vulnerabilities, and OTP interception. This makes SMS 2FA one of the weakest forms of second-factor security, despite being the most common.
Authenticator apps generate codes locally, eliminating network-based vulnerabilities entirely. While they remain vulnerable to device theft or malware on the phone itself, these attack vectors require significantly more effort and sophistication than intercepting an SMS message.
User Experience Comparison
SMS has the advantage of familiarity—users already understand how text messages work. No additional app installation is required, and the verification code arrives automatically. However, SMS delivery can be delayed or fail entirely in areas with poor cellular coverage.
Authenticator apps require initial setup and learning curve, but offer more reliable code generation once configured. They work offline, eliminating dependency on cellular networks. However, users who aren’t tech-savvy may struggle with setup, and recovery challenges can arise if users lose their phone, delete the app, or fail to save backup codes.
Implementation Complexity
For app developers, SMS-based 2FA is often simpler to implement, requiring integration with an SMS gateway service. The infrastructure is well-established, and many third-party services offer turnkey solutions.
TOTP-based authentication requires implementing the standard algorithm and providing users with a mechanism to set up their authenticator apps, typically through QR codes. However, the infrastructure is entirely server-side, with no dependency on external SMS providers or carrier networks.
Cost Considerations
SMS-based 2FA incurs per-message costs that can become significant at scale. International SMS delivery adds additional expense and reliability concerns. These ongoing operational costs must be factored into the total cost of ownership.
Authenticator app integration has no per-authentication cost—once implemented, the marginal cost of each authentication is essentially zero. The average cost of implementing two-factor authentication was estimated at about $15 per user per year, making it remarkably cost-effective compared to the average data breach cost of $3.86 million.
Beyond Basic 2FA: Advanced Authentication Options for Mobile Apps
While the SMS vs. authenticator app debate dominates discussions of two-factor authentication, several advanced options offer even stronger security for enterprise mobile applications.
FIDO2/WebAuthn and Passkeys
FIDO2 and the WebAuthn standard represent the gold standard for phishing-resistant authentication. CISA notes that “FIDO authentication uses the strongest form of MFA and is effective against MFA bypass techniques.”
These standards use public-key cryptography, where the private key never leaves the user’s device. Authentication happens through a cryptographic challenge-response that proves the user possesses the correct key without transmitting any secret that could be intercepted. Even if someone tricks a user into authenticating to a fake site, the authentication will fail because the cryptographic signature is bound to the legitimate origin.
Passkeys—the consumer-friendly implementation of these standards—are now supported by Apple, Google, and Microsoft across their platforms. For mobile app developers, supporting passkeys means tapping into device-level security like Face ID, Touch ID, or Android biometrics while maintaining the highest authentication assurance levels.
Hardware Security Keys
Physical security keys from manufacturers like Yubico provide the highest level of authentication security. These devices use FIDO2 protocols and require physical possession to authenticate. For high-value targets like system administrators, executives, and privileged users, hardware keys offer unparalleled protection. However, the cost and logistics of distributing and managing hardware keys make them impractical for general user populations.
Biometric Authentication
Modern mobile devices offer sophisticated biometric authentication through fingerprint sensors (Touch ID on iOS, various implementations on Android) and facial recognition (Face ID on iOS, various implementations on Android). These biometric systems provide a seamless user experience while offering strong security when properly implemented.
For mobile app developers, biometric authentication is particularly attractive because it leverages hardware security features built into the device. Apple’s Secure Enclave and Android’s hardware-backed Keystore provide protected environments for storing biometric data and cryptographic keys, ensuring that sensitive information never leaves the device’s secure hardware.
Push-Based Authentication
Push-based 2FA sends a notification to a user’s mobile app asking them to approve or deny a login attempt. This approach is convenient but comes with security caveats. “Push fatigue” can occur when users reflexively approve prompts they didn’t initiate, potentially allowing unauthorized access. For organizations implementing push-based MFA, features like number matching (requiring users to enter a code displayed on the login screen) and suspicious prompt detection are essential safeguards.
Implementation Best Practices for Mobile App Developers
Implementing robust two-factor authentication in mobile apps requires careful consideration of security, user experience, and operational requirements. Here are the essential practices for enterprise-grade implementation.
Secure Storage of Authentication Data
Authentication secrets must be stored securely on both the server and client sides. On iOS, use the Secure Enclave—a dedicated hardware component designed to store and process sensitive data securely. On Android, implement the Android Keystore system, which provides a secure storage environment, leveraging hardware-backed security when available.
Never store authentication secrets in plain text, in unencrypted local storage, or in locations accessible to other applications. Use platform-specific security features to ensure that authentication data remains protected even if the device is compromised.
Design for Recovery Scenarios
When users change devices, delete their authenticator apps, or lose their phones, 2FA can quickly become a barrier instead of a safeguard. Recovery flows that are confusing or missing can lead to lockouts, support ticket spikes, and negative user sentiment.
Implement robust recovery mechanisms that maintain security while allowing legitimate users to regain access. Options include backup codes generated during enrollment, secondary authentication methods, and identity verification through trusted channels. Ensure recovery is at equal or greater assurance than the authenticator being replaced—never allow recovery via less secure methods than the original authentication.
It’s worth repeating CISA’s advice: just because you’ve enrolled in an authenticator app doesn’t mean you’ve fully unenrolled from SMS. It’s important to turn off SMS fallback functionality entirely to ensure you haven’t created a backdoor for attackers.
Implement Graceful Degradation
Always provide fallback options for users who might have issues with their primary authentication method—but ensure fallbacks don’t compromise security. If biometric authentication fails, fall back to PIN or passcode, not SMS. If an authenticator app is unavailable, provide backup codes rather than SMS delivery. Design fallback mechanisms that maintain appropriate security levels while keeping users productive.
Consider Risk-Based Authentication
Not all authentication events carry the same risk. A user logging in from their usual device at their normal location presents different risk than someone accessing sensitive data from a new device in an unusual location. Implement risk-based authentication that adjusts requirements based on context—requiring stronger factors for higher-risk scenarios while allowing smoother access for routine, low-risk operations.
Layer Authentication by User Role
CISA recommends a tiered approach to authentication. A high-level administrator might merit a hardware key as well as a biometric factor, while an entry-level employee will be well served by a strong password and an authenticator app. But regardless of a person’s seniority or job title, SMS-based authentication shouldn’t be in the mix at all. Even that entry-level employee might have login credentials for company systems that could cause devastating damage in the hands of a bad actor.
Migrating from SMS to Authenticator Apps: A Strategic Approach
For organizations currently using SMS-based 2FA, transitioning to more secure methods requires careful planning. A rushed migration can lead to user frustration, support overload, and even reduced security if users find workarounds to avoid the new requirements.
Phase 1: Assessment and Planning
Begin by inventorying all systems and applications currently using SMS-based authentication. Identify which users rely on these systems and understand their technical capabilities. Assess the risk level of each application—those handling sensitive data or privileged access should be prioritized for migration.
Develop clear communication materials explaining why the change is necessary. Reference authoritative sources like CISA guidance to demonstrate that this isn’t just an IT preference but a security imperative backed by federal cybersecurity agencies.
Phase 2: Pilot and Education
Roll out authenticator apps to technically capable early adopters first. Use their feedback to refine enrollment processes, documentation, and support procedures. Develop training materials that walk users through setup step by step, addressing common questions and concerns.
Create clear, user-friendly instructions for popular authenticator apps. Provide office hours or dedicated support for users transitioning to the new system. The goal is to make the migration as smooth as possible while building internal expertise to support broader rollout.
Phase 3: Gradual Rollout
Expand the migration in phases, starting with lower-risk applications and user groups. Allow a transition period where both SMS and authenticator apps are accepted, but actively encourage users to migrate. Track adoption metrics and identify users who may need additional support.
For high-risk applications and privileged users, consider accelerating the timeline or removing the SMS option entirely. Domain administrators are three times more likely to face account probing than regular users, yet reports have observed numerous administrators with no MFA, weak MFA, or sitting in MFA exclusion groups.
Phase 4: SMS Deprecation
Set a firm deadline for SMS deprecation and communicate it clearly. Provide final reminders as the deadline approaches. After the deadline, remove SMS as an authentication option entirely—leaving it available as a fallback creates a security vulnerability that attackers can exploit.
Regulatory Compliance and 2FA Requirements
Two-factor authentication isn’t just a security best practice—it’s increasingly a regulatory requirement across multiple industries. Understanding these requirements is essential for mobile app developers serving enterprise clients.
Healthcare (HIPAA)
For apps handling protected health information (PHI), HIPAA imposes strict rules on how personal health information is handled, including biometric identifiers. While HIPAA doesn’t explicitly mandate 2FA, the Security Rule requires “reasonable and appropriate” safeguards, and MFA is widely considered a minimum standard for systems accessing PHI. Healthcare organizations should implement the strongest feasible authentication for any mobile apps that touch patient data.
Financial Services (PCI-DSS)
The Payment Card Industry Data Security Standard requires MFA for all remote network access to a Card Data Environment. For mobile payment apps and financial services applications, robust authentication isn’t optional—it’s a compliance requirement. The standard specifically calls out the need for strong authentication, and SMS-based methods are increasingly being scrutinized as potentially insufficient.
European Union (GDPR and PSD2)
GDPR classifies biometric data as sensitive data requiring stringent protection, with explicit user consent required before collection or processing. The second Payment Services Directive (PSD2) requires “strong customer authentication” on most electronic payments in the European Economic Area. For apps serving European users, authentication implementation must consider both data protection and payment security regulations.
Federal Government (OMB M-22-09)
OMB’s Federal Zero Trust memo requires phishing-resistant MFA for agency staff, contractors, and partners. While this directly applies to federal systems, it signals the direction of government security requirements and often influences private sector practices. Organizations doing business with the federal government should anticipate similar requirements extending to contractor systems.
The Future of Mobile Authentication
The authentication landscape is evolving rapidly, with several trends shaping the future of mobile app security.
Passwordless Authentication
The industry is moving toward eliminating passwords entirely. Passkeys use your device or biometric (fingerprint/Face ID) to log in with public-key cryptography, eliminating the typed password entirely. This means there’s nothing to steal via phishing—it’s inherently resistant to remote attacks and more convenient for users. Major companies like Apple, Google, and Microsoft are implementing passkey support, and adoption is accelerating. As of 2024, password-less authentication contributed approximately $6.8 billion to the MFA market, and this segment is expected to grow significantly.
AI-Driven Behavioral Analytics
By the end of 2026, an estimated 40% of MFA implementations will adopt AI-driven behavioral analytics to detect unusual activity. These systems analyze patterns in how users interact with their devices—typing patterns, navigation behavior, time of access—to provide continuous authentication without explicit user action. This approach can detect compromised accounts even when the attacker has valid credentials.
Zero Trust Architecture
Zero Trust is a security framework that uses a “trust no one” philosophy, requiring all network users, internal and external, to be authenticated and authorized continuously. MFA and 2FA are key tools for organizations looking to implement zero trust security. As this architecture becomes standard, authentication will become more pervasive and sophisticated, with verification happening not just at login but continuously throughout a session.
Making the Right Choice for Your Mobile Apps
The evidence is clear: SMS-based two-factor authentication, while better than no 2FA at all, carries significant vulnerabilities that make it unsuitable for protecting sensitive corporate mobile applications. The warnings from CISA, the FBI, NIST, and countless security researchers can no longer be ignored.
For mobile app developers and the businesses they serve, the path forward involves transitioning to authenticator apps as a minimum standard, with aspirations toward phishing-resistant methods like FIDO2/WebAuthn and passkeys. The implementation cost is modest—approximately $15 per user per year—while the potential cost of a breach averages $3.86 million, not counting reputational damage and regulatory penalties.
The good news is that modern mobile platforms make implementing strong authentication easier than ever. Both iOS and Android provide robust APIs for biometric authentication, secure credential storage, and integration with industry-standard authentication protocols. Leveraging native device features like secure enclaves and hardware-backed keystores allows developers to provide enterprise-grade security with consumer-friendly user experiences.
The transition from SMS to stronger authentication methods isn’t just about compliance or following industry trends—it’s about protecting your users, your data, and your business from increasingly sophisticated threats. With 80% of security breaches preventable through the use of 2FA and proper authentication stopping 42% of cyberattacks, the investment in robust authentication pays for itself many times over.
As you plan your mobile app authentication strategy, remember that security is not a destination but a journey. Stay informed about evolving threats and emerging technologies. Work with experienced mobile app development partners who understand both the technical requirements and the user experience considerations. And most importantly, act now—every day that SMS remains your primary 2FA method is a day of unnecessary risk exposure.
Frequently Asked Questions
Why are the FBI and CISA recommending against SMS-based 2FA?
In December 2024, following the Salt Typhoon cyber espionage attacks on telecommunications companies, the FBI and CISA issued guidance advising against SMS-based authentication. SMS messages are not encrypted, meaning any threat actor with access to a telecommunication provider’s network can read them. Additionally, SMS is vulnerable to SIM-swapping attacks, SS7 protocol exploits, and social engineering. The agencies recommend using authenticator apps, hardware security keys, or other phishing-resistant methods instead.
Is SMS-based 2FA better than no 2FA at all?
Yes, SMS-based 2FA is significantly more secure than using passwords alone. Microsoft reports that accounts without MFA are 99.9% more likely to be compromised. However, SMS should be viewed as a stepping stone to more secure methods rather than a long-term solution. For organizations just beginning their 2FA journey, SMS can provide immediate security improvement while plans are made to transition to authenticator apps or other stronger methods.
What happens if a user loses their phone with their authenticator app?
This is a critical consideration for any authenticator-based 2FA implementation. Best practices include generating and securely storing backup codes during initial enrollment, enabling cloud backup in authenticator apps that support it (like Authy), implementing alternative recovery methods that maintain appropriate security levels, and keeping a hardware security key as a backup for high-value accounts. Organizations should establish clear procedures for account recovery that balance security with usability.
How much does implementing 2FA typically cost?
The average cost of implementing two-factor authentication is approximately $15 per user per year. This is remarkably cost-effective compared to the average data breach cost of $3.86 million. Authenticator app-based implementations have essentially zero per-authentication costs after initial implementation, unlike SMS-based systems which incur per-message charges. The return on investment for robust 2FA implementation is substantial.
What are passkeys and should we implement them?
Passkeys are a consumer-friendly implementation of FIDO2/WebAuthn standards that use public-key cryptography for authentication. They use your device’s biometric authentication (Face ID, Touch ID, fingerprint) to verify identity without transmitting any secret that could be intercepted. CISA considers FIDO authentication the strongest form of MFA, effective against MFA bypass techniques. Major platforms now support passkeys, making them increasingly practical for enterprise deployment. Organizations should begin planning for passkey adoption, especially for high-risk applications.
How do I convince leadership to invest in better authentication?
Focus on risk and ROI. Present the statistics: 80% of security breaches could be prevented with 2FA, and the implementation cost of $15 per user per year pales against the $3.86 million average breach cost. Reference authoritative guidance from CISA and the FBI explicitly recommending against SMS-based authentication. Highlight regulatory requirements that may apply to your industry. And emphasize that competitors and partners are increasingly requiring strong authentication—failing to implement it may put business relationships at risk.
