Good overview piece abut 2FA and beyond.
Is MFA Needed to Improve Security?
By Keith Kirkpatrick Commissioned by CACM Staff February 25, 2021
Many corporate and consumer-based systems and applications deploy short message service (SMS)-based two-factor authentication technology to help protect users from being hacked. This method of two-factor authentication is fairly simple; a user will log onto an app or system using their username and password, and then a unique security code is generated by an algorithm within the app, which is then sent to the user's phone via a text message. If that code is correctly entered into the system when prompted, it theoretically will authenticate the person trying to log into the system.
However, SMS-based authentication is rife with security holes. Alex Weinert, Microsoft's director of identity security, published a blog post in early November highlighting the immense risk of continuing to use SMS-based codes to authenticate users, given the ability of hackers to either intercept the codes while they're being sent (basic SMS messages are unencrypted), or to simply carry out a scheme known as subscriber identity module (SIM)-card swapping, or SIMjacking.
SIMjacking is a technique through which a criminal will call a user's wireless company and use information gathered about the user (including personal data garnered via phishing schemes, guessing answers to challenge questions, and exploiting the empathetic nature of humans) to have a phone's SIM card transferred to their account, giving them access to the user's SMS messages, including authentication texts.
"SIM-based multi-factor authentication is probably one of the most popular MFA methods on the Internet, if not the most popular, meaning that almost every company you deal with uses these SMS-based MFA solutions, and you really don't have a choice," says Roger Grimes, author of Hacking Multifactor Authentication, and a Data-Driven Defense Evangelist at KnowBe4, a security awareness education company. "Not only is [SMS] a poor authenticator, it is fairly easy to hack, but many times you can't opt out of it."
That's why security professionals suggest the use of multi-factor authentication applications, which are designed to reside on each physical device and do not require the use of SMS-based authentication codes. Authentication applications, which have been released by both large companies (Google Authenticator, Microsoft Authenticator) and independent software vendors (Twilo Authy, LogMeIn LastPass Authenticator, and Duo Mobile) generally only require a data connection during the initial set-up process, which involves installing the application on a smartphone, then configuring it to work with each account to be protected. Each account provides a secret key that is shared over a secure data channel to the authenticator app, and is used for all future logins.
To log into such a site, the user will provide credentials (a username and password to the site); an algorithm then generates codes using the current time on the device and the shared secret key, in order to generate a one-time password, then asks the user to enter it. The user runs the Authenticator app, which independently computes and displays the same password, which the user types into the site, authenticating their identity. ... "