MFA Beyond SMS: What Professional Services Firms Should Actually Use

11 March 2026

MFA Beyond SMS: What Professional Services Firms Should Actually Use

Multi-factor authentication (MFA) is one of the most effective controls you can implement.

It’s a core component of the Essential Eight, and it’s increasingly expected by regulators, insurers, and clients.

But not all MFA is created equal.

The problem with SMS

SMS-based MFA — where you receive a text message with a one-time code — is better than a password alone. But it has well-documented weaknesses:

SIM swapping — An attacker convinces your mobile provider to port your number to a new SIM. They then receive your MFA codes.

SS7 vulnerabilities — The underlying protocol that routes SMS messages has known security flaws that can be exploited to intercept messages.

Social engineering — Support staff at telcos can be manipulated into making changes that redirect SMS delivery.

For a firm handling sensitive financial, legal, or health data, these aren’t theoretical risks — they’re documented attack vectors used in real incidents.

What to use instead

Authenticator apps (Microsoft Authenticator, Google Authenticator) generate time-based codes on your device. They’re significantly harder to intercept because the codes never leave your phone.

Push notifications (via Microsoft Authenticator or Duo) send a prompt to your device that you approve or deny. Combined with number matching, this is both more secure and more user-friendly than typing codes.

Hardware security keys (YubiKey, Google Titan) are the gold standard. They use cryptographic protocols (FIDO2/WebAuthn) that are phishing-resistant by design — even if a user is tricked into entering credentials on a fake site, the key won’t authenticate because the domain doesn’t match.

A practical approach

You don’t need to deploy hardware keys to every staff member on day one. A practical rollout might look like:

  1. Immediately: Enforce authenticator app or push-based MFA for all users. Disable SMS as an MFA option.

  2. Priority: Deploy hardware security keys to administrators, partners, and anyone with access to sensitive systems.

  3. Over time: Roll out hardware keys more broadly as part of device refresh cycles.

The key is to move beyond SMS as quickly as possible, starting with your highest-risk accounts.

Getting started

If your firm is still relying on SMS-based MFA — or worse, hasn’t enforced MFA at all — get in touch.

We can help you plan and implement a stronger authentication strategy without disrupting your team’s workflow.

Ready to take the next step?

Book a technology assessment and find out how techosity can help your business.

Book Your Technology Assessment
Call us on 1300 14 10 10