Logo Akuity SOC
Akuity SOC
CYBERSECURITY
Security & MFA

SOC security: Why choose TOTP over SMS (MFA)

5 min de lecture Akuity SOC · Delphisoft Deutschland

Double authentication via SMS is vulnerable to SIM Swapping and Phishing. Find out why your SOC should use TOTP (AAL2) applications.

Implementing two-factor authentication (MFA or 2FA) is now a no-brainer for any IT system. However, a common mistake is to believe that all MFA methods are equal. While sending a 6-digit code by SMS is tolerable for a consumer account, this method is considered dangerous and obsolete when it comes to protecting access to a Security Operations Center (SOC).

To ensure the integrity of the platform that orchestrates incident response for dozens of companies, offline cryptographic protocols are the only viable path. Let's decipher the deadly flaws of SMS authentication and why the standardTOTP (Time-Based One-Time Password)is the security foundation of the Akuity orchestrator.

The three fatal flaws of SMS authentication

For several years, cybersecurity agencies (including NIST) have strongly recommended against the use of SMS to secure critical access. The delivery of a text message relies on telecommunications networks, which were not designed with security as a top priority.

  1. SIM Swapping:This is the most common attack. A hacker calls the SOC analyst's telephone operator, pretends to be him with some personal data (social engineering), and declares the loss of his SIM card. The operator transfers the phone number to a new SIM card controlled by the hacker. From then on, the hacker receives all MFA codes by SMS instead of the analyst.
  2. The SS7 Intercept:The Signaling System 7 (SS7) protocol, used by global carriers to route calls and text messages, suffers from rampant vulnerabilities. State attackers or highly organized cybercriminal groups can silently intercept SMS messages in transit over the network without ever touching the victim's phone.
  3. Automated Phishing:Unlike a traditional password, the SMS code has a lifespan. Hackers have therefore created fake connection portals (Phishing) which ask for the password, then instantly display a fake page asking for the SMS code. The user types it, and the hacker reuses it in real time on the real site.

The cryptographic superiority of TOTP

To eliminate these attack vectors, the platformAkuity SOCcategorically refuses the use of SMS and imposes enrollmentTOTP (Time-Based One-Time Password)to validate the AAL2 assurance level of its analysts.

How does TOTP work?

The TOTP protocol relies on reputable third-party authentication applications, such asGoogle Authenticator,Microsoft AuthenticatorOrAuthy.

When connecting to Akuity for the first time, the analyst goes to the security settings tab (managed by the componentSecuritySettingsForm.tsx). The server generates a unique secret cryptographic key (Seed) for this user and displays it in the form of a QR Code.

When the analyst scans this QR Code, the secret key is physically stored in the security chip of their smartphone. From then on, the smartphone and Akuity's Supabase server share this secret.

The offline advantage

At each connection attempt, the smartphone application uses the secret key and the current time (hence the nameTime-Based) to calculate a mathematical formula producing a 6-digit code valid for 30 seconds.

The immense advantage of this method is that no data passes through the network.The smartphone does not need a SIM card, Wi-Fi network, or cellular network to generate the code. There are therefore no SMS to intercept, and SIM Swapping becomes completely inoperative.

Traceability and State Governance MFA

The robustness of a system is also measured by its governance capacity. What happens if an analyst decides to deactivate their MFA?

In Akuity SOC, the status of multi-factor authentication is rigorously monitored by the database.

  1. Immediate demotion:If a user deactivates their MFA (functionunenrollMFA), its session cookie is instantly downgraded to AAL1 assurance level. He immediately loses all access to the operational Cockpit.
  2. The Security SQL Trigger:A trigger in the database detects the deletion of the TOTP factor and switches the columnmfa_enabledhasfalsein the profile table. Workspace administrators are instantly aware that an account is no longer secure.
  3. The SOC 2 Audit log:Activating and deactivating MFA generates attributable logs (MFAENROLLINITIATED,MFA_ENABLED). If an attacker were to somehow manage to bypass security to disable MFA, this action would raise an immediate critical alert.

Conclusion: Lock the front door

Your incident response platform (SOAR) holds the keys to your and your customers' Microsoft infrastructure. Do not entrust the protection of this safe to a vulnerable SMS sent in clear text by telecom operators. The adoption of the TOTP standard is the only shield guaranteeing that the person who orders the isolation of a server is indeed the authorized analyst who is in front of his screen.

Strengthen access for your security team.> Discover how the moduleAkuity SOC MFA and TOTP managementapplies the highest standards of authentication.

Page Solution Associée

Security of SOC Operations by MFA (AAL2)

Lock down your SOC remediation actions with strict two-factor authentication. AAL1 vs AAL2, middleware blocking and TOTP compatibility.

Découvrir la solution complète

Articles du même cluster

AAL1 vs AAL2 Assurance Standard: A password is no longer enough in SOC

Protecting the access of your SOC team requires absolute security. Learn the difference between AAL1 and AAL2 (MFA) insurance standards.

Lire →

Middleware and API Security: Block unauthenticated remediation

Securing the web interface (Frontend) of a SOAR is not enough. Learn how Akuity's Next.js Middleware blocks API requests without MFA AAL2 sessions.

Lire →