Retiring SMS-based two factor authentication

Keeping customers’ data secure has always been a primary concern here at agileBase. Following best practices such as automatically checking passwords against known leaks and enabling two factor authentication is a big part of that.

Since secure app-based two-factor authentication was released on the agileBase platform in 2018 we’ve been heavily promoting its use and gradually deprecating the older, text-message based authentication codes.

For example, for a number of months, app based authentication has been the only two factor authentication mechanism available for new users.

Information has come to light in the last couple of days that the older SMS based authentication mechanism is fatally flawed from a security perspective. Although it’s been known for a while that SMS codes have certain issues, using them has been seen as better than nothing. Exploiting the issues has required a certain amount of work and expertise. However recently, there have been cases where a newly discovered exploitation technique allows customers’ authentication codes to be easily stolen without them even noticing anything’s amiss.

Given this new vulnerability example, we feel that the time is right to retire SMS codes entirely, as they increasingly provide more of a sense of false security than actual security.

As of the next release, agileBase will stop sending authentication codes by text message. Anyone using this mechanism will revert to having no 2FA, so they will be prompted to set up app-based two factor authentication after logging in.

Due to past initiatives this change will only affect the 12 percent of people using the old SMS mechanism.