To protect users against SIM swapping attacks, websites, services, or apps (relying parties) should avoid using phone numbers to authenticate or to send recovery access codes. While this is a common practice today, it can no longer be assumed that an account owner has control over their phone number.
Websites, services, and apps need to move to WebAuthn to improve authentication security. Transitioning completely off phone numbers might take time, but relying parties can quickly update processes to mitigate this risk by giving users the option to authenticate with WebAuthn security keys and encouraging them to opt out of having their phone numbers be part of the authentication and/or recovery flows.
Read this white paper to learn about:
- The problem with current phone-based MFA methods
- The WebAuthn open standard for secure strong authentication
- WebAuthn deployment best practices